diff --git a/.gitignore b/.gitignore
index 7d7a8a8..58b3e9d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/tpm2.0-tools-1.1.0.tar.gz
+SOURCES/tpm2-tools-3.0.1.tar.gz
diff --git a/.tpm2-tools.metadata b/.tpm2-tools.metadata
index a2ad6c3..4e3bb2c 100644
--- a/.tpm2-tools.metadata
+++ b/.tpm2-tools.metadata
@@ -1 +1 @@
-1d27f0e7564e7bf83b5751e5e9eb3f73c5dc971e SOURCES/tpm2.0-tools-1.1.0.tar.gz
+957e94aeca335b40b2e58729f82ce4b4aa5b525a SOURCES/tpm2-tools-3.0.1.tar.gz
diff --git a/SOURCES/0001-tpm2_nvwrite-fix-buffer-overflow.patch b/SOURCES/0001-tpm2_nvwrite-fix-buffer-overflow.patch
new file mode 100644
index 0000000..91ee61d
--- /dev/null
+++ b/SOURCES/0001-tpm2_nvwrite-fix-buffer-overflow.patch
@@ -0,0 +1,91 @@
+From ab1a2d468c4b2ac09a0ac651563653f36a73215f Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 15 Dec 2017 11:43:42 -0800
+Subject: [PATCH] tpm2_nvwrite: fix buffer overflow
+
+As reported by clang asan:
+
+=================================================================
+==435==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe036c0902 at pc 0x0000004a326d bp 0x7ffe036c02f0 sp 0x7ffe036bfaa0
+WRITE of size 2048 at 0x7ffe036c0902 thread T0
+    #0 0x4a326c in __asan_memcpy (/home/wcrobert/workspace/tpm2-tools/tools/tpm2_nvwrite+0x4a326c)
+    #1 0x4e887b in nv_write /home/wcrobert/workspace/tpm2-tools/tools/tpm2_nvwrite.c:129:9
+    #2 0x4e82c4 in tpm2_tool_onrun /home/wcrobert/workspace/tpm2-tools/tools/tpm2_nvwrite.c:316:11
+    #3 0x4e90d9 in main /home/wcrobert/workspace/tpm2-tools/tools/tpm2_tool.c:150:11
+    #4 0x7fdfc968d82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
+    #5 0x4195c8 in _start (/home/wcrobert/workspace/tpm2-tools/tools/tpm2_nvwrite+0x4195c8)
+
+Address 0x7ffe036c0902 is located in stack of thread T0 at offset 1538 in frame
+    #0 0x4e846f in nv_write /home/wcrobert/workspace/tpm2-tools/tools/tpm2_nvwrite.c:76
+
+  This frame has 8 object(s):
+    [32, 172) 'session_data_out'
+    [240, 256) 'sessions_data'
+    [272, 288) 'sessions_data_out'
+    [304, 312) 'session_data_array'
+    [336, 344) 'session_data_out_array'
+    [368, 452) 'nv_public'
+    [496, 500) 'max_data_size'
+    [512, 1538) 'nv_write_data' <== Memory access at offset 1538 overflows this variable
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
+      (longjmp and C++ exceptions *are* supported)
+SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/wcrobert/workspace/tpm2-tools/tools/tpm2_nvwrite+0x4a326c) in __asan_memcpy
+Shadow bytes around the buggy address:
+  0x1000406d00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000406d00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000406d00f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000406d0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000406d0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x1000406d0120:[02]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
+  0x1000406d0130: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000406d0140: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
+  0x1000406d0150: 00 00 00 00 00 00 00 00 02 f2 f2 f2 f2 f2 00 f3
+  0x1000406d0160: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000406d0170: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 01 f2 00 f3
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==435==ABORTING
+
+Fix by using the max buffer's size field, not the loaded from
+file buffers size field.
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ tools/tpm2_nvwrite.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/tpm2_nvwrite.c b/tools/tpm2_nvwrite.c
+index 63c892f..a412898 100644
+--- a/tools/tpm2_nvwrite.c
++++ b/tools/tpm2_nvwrite.c
+@@ -127,7 +127,7 @@ static bool nv_write(TSS2_SYS_CONTEXT *sapi_context) {
+         LOG_INFO("The data(size=%d) to be written:", nv_write_data.t.size);
+ 
+         memcpy(nv_write_data.t.buffer, &ctx.nv_buffer.t.buffer[data_offset],
+-                ctx.nv_buffer.t.size);
++                nv_write_data.t.size);
+ 
+         TPM_RC rval = TSS2_RETRY_EXP(Tss2_Sys_NV_Write(sapi_context, ctx.auth_handle,
+                 ctx.nv_index, &sessions_data, &nv_write_data, ctx.offset + data_offset,
+-- 
+2.15.0
+
diff --git a/SOURCES/HashEKPublicKey-cleanup.patch b/SOURCES/HashEKPublicKey-cleanup.patch
deleted file mode 100644
index f78ca91..0000000
--- a/SOURCES/HashEKPublicKey-cleanup.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp
---- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp	2016-11-04 07:13:32.000000000 -0700
-+++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp	2017-04-05 15:46:04.144808304 -0700
-@@ -30,7 +30,7 @@
- //**********************************************************************;
- 
- #include <stdarg.h>
--
-+#include <errno.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <string.h>
-@@ -264,27 +264,69 @@
- 
- unsigned char *HashEKPublicKey(void)
- {
--    printf("Calculating the SHA256 hash of the Endorsement Public Key\n");
--    FILE *fp;
-+    FILE *fp = NULL;
-+    unsigned char *hash = NULL;
-     unsigned char EKpubKey[259];
--    unsigned char *hash = (unsigned char*)malloc(SHA256_DIGEST_LENGTH);
-+    int rc, is_success;
-+    unsigned int i;
-+    size_t read;
-+
-+    printf("Calculating the SHA256 hash of the Endorsement Public Key\n");
-+
-     fp = fopen(outputFile, "rb");
--    if (fp == NULL)
--        printf("File Open Error\n");
--    else 
--    {
--        fseek(fp, 0x66, 0);
--        fread(EKpubKey, 1, 256, fp);
-+    if (fp == NULL) {
-+	    fprintf(stderr, "Could not open file: \"%s\"\n", outputFile);
-+	    return NULL;
-     }
--    fclose(fp);
--    EKpubKey[256] = 0x01; EKpubKey[257] = 0x00; EKpubKey[258] = 0x01; //Exponent
-+    rc = fseek(fp, 0x66, 0);
-+    if (rc < 0) {
-+	    fprintf(stderr, "Could not perform fseek: %s\n", strerror(errno));
-+	    goto out;
-+    }
-+    read = fread(EKpubKey, 1, 256, fp);
-+    if (read != 256) {
-+	    fprintf(stderr, "Could not read whole file.\n");
-+	    goto out;
-+    }
-+
-+    hash = (unsigned char*)malloc(SHA256_DIGEST_LENGTH);
-+    if (hash == NULL) {
-+	    fprintf(stderr, "Memory allocation failed.\n");
-+	    goto out;
-+    }
-+
-+    EKpubKey[256] = 0x01;
-+    EKpubKey[257] = 0x00;
-+    EKpubKey[258] = 0x01; //Exponent
-     SHA256_CTX sha256;
--    SHA256_Init(&sha256);
--    SHA256_Update(&sha256, EKpubKey, sizeof(EKpubKey));
--    SHA256_Final(hash, &sha256);
--    for (int i = 0; i < SHA256_DIGEST_LENGTH; i++)
-+    is_success = SHA256_Init(&sha256);
-+    if (!is_success) {
-+	    fprintf(stderr, "SHA256_Init failed\n");
-+	    goto hash_out;
-+    }
-+
-+    is_success = SHA256_Update(&sha256, EKpubKey, sizeof(EKpubKey));
-+    if (!is_success) {
-+	    fprintf(stderr, "SHA256_Update failed\n");
-+	    goto hash_out;
-+    }
-+
-+    is_success = SHA256_Final(hash, &sha256);
-+    if (!is_success) {
-+	    fprintf(stderr, "SHA256_Final failed\n");
-+	    goto hash_out;
-+    }
-+
-+    for (i = 0; i < SHA256_DIGEST_LENGTH; i++)
-         printf("%02X", hash[i]);
-     printf("\n");
-+    goto out;
-+
-+hash_out:
-+    free(hash);
-+    hash = NULL;
-+out:
-+    fclose(fp);
-     return hash;
- }
- 
diff --git a/SOURCES/add-man-pages.patch b/SOURCES/add-man-pages.patch
new file mode 100644
index 0000000..2320055
--- /dev/null
+++ b/SOURCES/add-man-pages.patch
@@ -0,0 +1,7751 @@
+diff --git a/Makefile.am b/Makefile.am
+index 2034c2500b3e..9dfe2ca1ea7c 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -270,7 +270,6 @@ EXTRA_DIST = $(top_srcdir)/man \
+ 	     README.md \
+ 	     RELEASE.md
+ 
+-if HAVE_PANDOC
+     man1_MANS := \
+     man/man1/tpm2_activatecredential.1 \
+     man/man1/tpm2_certify.1 \
+@@ -311,7 +310,6 @@ if HAVE_PANDOC
+     man/man1/tpm2_takeownership.1 \
+     man/man1/tpm2_unseal.1 \
+     man/man1/tpm2_verifysignature.1
+-endif
+ 
+ MARKDOWN_COMMON_DEPS = \
+ 	man/common/alg.md \
+diff --git a/man/man1/tpm2_activatecredential.1 b/man/man1/tpm2_activatecredential.1
+new file mode 100644
+index 000000000000..afe81e4d4b02
+--- /dev/null
++++ b/man/man1/tpm2_activatecredential.1
+@@ -0,0 +1,178 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_activatecredential" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_activatecredential\f[](1) \- verify that an object is
++protected with a specific key.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_activatecredential\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++Verify that the given content is protected with given keyHandle for
++given handle, and then decrypt and return the secret, if any passwd
++option is missing, assume NULL.
++Currently only support using TCG profile compliant EK as the keyHandle.
++.SH OPTIONS
++.PP
++These options control the object verification:
++.IP \[bu] 2
++\f[B]\-H\f[], \f[B]\-\-handle\f[]=\f[I]HANDLE\f[]: \f[I]HANDLE\f[] of
++the object associated with the created certificate by CA.
++.IP \[bu] 2
++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]: The
++\f[I]KEY_HANDLE\f[] of Loaded key used to decrypt the the random seed.
++.IP \[bu] 2
++\f[B]\-C\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]:
++\f[I]KEY_CONTEXT_FILE\f[] is the path to a context file.
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-password\f[]=\f[I]PASSWORD\f[]: Use
++\f[I]PASSWORD\f[] for providing an authorization value for the
++\f[I]KEY_HANDLE\f[].
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.IP \[bu] 2
++\f[B]\-e\f[], \f[B]\-\-endorse\-password\f[]=\f[I]ENDORSE_PASSWORD\f[]:
++The endorsement password, optional.
++Follows the same formating guidelines as the handle password option \-P.
++.IP \[bu] 2
++\f[B]\-f\f[], \f[B]\-\-in\-file\f[]=\f[I]INPUT_FILE\f[]: Input file
++path, containing the two structures needed by tpm2_activatecredential
++function.
++This is created via the tpm2_makecredential(1) command.
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUTPUT_FILE\f[]: Output file
++path, record the secret to decrypt the certificate.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_activatecredential\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ abc123\ \-e\ abc123\ \-f\ <filePath>\ \-o\ <filePath>
++tpm2_activatecredential\ \-c\ ak.context\ \-C\ ek.context\ \-P\ abc123\ \-e\ abc123\ \-f\ <filePath>\ \-o\ <filePath>
++tpm2_activatecredential\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 123abc\ \-e\ 1a1b1c\ \-X\ \-f\ <filePath>\ \-o\ <filePath>
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_certify.1 b/man/man1/tpm2_certify.1
+new file mode 100644
+index 000000000000..f1a5af18d65b
+--- /dev/null
++++ b/man/man1/tpm2_certify.1
+@@ -0,0 +1,201 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_certify" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_certify\f[](1) \- prove that an object is loaded in the tpm.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_certify\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_certify\f[](1) proves that an object with a specific
++\f[I]NAME\f[] is loaded in the TPM.
++By certifying that the object is loaded, the TPM warrants that a public
++area with a given \f[I]NAME\f[] is self\-consistent and associated with
++a valid sensitive area.
++If a relying party has a public area that has the same \f[I]NAME\f[] as
++a \f[I]NAME\f[] certified with this command, then the values in that
++public area are correct.
++The object may be any object that is loaded with TPM2_Load() or
++TPM2_CreatePrimary().
++An object that only has its public area loaded cannot be certified.
++.SH OPTIONS
++.PP
++These options control the ceritifcation:
++.IP \[bu] 2
++\f[B]\-H\f[], \f[B]\-\-obj\-handle\f[]=\f[I]OBJECT_HANDLE\f[]: The
++handle of the object to be certified.
++.IP \[bu] 2
++\f[B]\-C\f[], \f[B]\-\-obj\-context\f[]=\f[I]FILE\f[]: Use \f[I]FILE\f[]
++for providing the object context.
++.IP \[bu] 2
++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]: Handle of
++the key used to sign the attestation structure.
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT\f[]: Filename
++of the key context used to sign the attestation structure.
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-pwdo\f[]=\f[I]OBJECT_PASSWORD\f[]: Use
++\f[I]OBJECT_PASSWORD\f[] for providing an authorization value for the
++object specified in \f[I]OBJECT_HANDLE\f[].
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.IP \[bu] 2
++\f[B]\-K\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: Use
++\f[I]KEY_PASSWORD\f[] for providing an authorization value for the key
++specified in \f[I]KEY_HANDLE\f[].
++Follows the same formatting guidelines as the object handle password or
++\-P option.
++.IP \[bu] 2
++\f[B]\-a\f[], \f[B]\-\-attest\-file\f[]=\f[I]ATTEST_FILE\f[]: Output
++file name for the attestation data.
++.IP \[bu] 2
++\f[B]\-s\f[], \f[B]\-\-sig\-file\f[]=\f[I]SIG_FILE\f[]: Output file name
++for the signature data.
++.IP \[bu] 2
++\f[B]\-f\f[], \f[B]\-\-format\f[]
++.RS 2
++.PP
++Format selection for the signature output file.
++See section "Signature Format Specifiers".
++.RE
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH Signature Format Specifiers
++.PP
++Format selection for the signature output file.
++\f[B]tss\f[] (the default) will output a binary blob according to the
++TPM 2.0 specification and any potential compiler padding.
++The option \f[B]plain\f[] will output the plain signature data as
++defined by the used cryptographic algorithm.
++# EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_certify\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 0x0011\ \-K\ 0x00FF\ \-g\ 0x00B\ \-a\ <fileName>\ \-s\ <fileName>
++tpm2_certify\ \-C\ obj.context\ \-c\ key.context\ \-P\ 0x0011\ \-K\ 0x00FF\ \-g\ 0x00B\ \-a\ <fileName>\ \-s\ <fileName>
++tpm2_certify\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 0011\ \-K\ 00FF\ \-X\ \-g\ 0x00B\ \-a\ <fileName>\ \-s\ <fileName>
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_create.1 b/man/man1/tpm2_create.1
+new file mode 100644
+index 000000000000..80e158428a26
+--- /dev/null
++++ b/man/man1/tpm2_create.1
+@@ -0,0 +1,271 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_create" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_create\f[](1) \- create an object that can be loaded into a
++TPM using tpm2_load.
++The object will need to be loaded before it may be used.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_create\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_create\f[](1) \- create an object that can be loaded into a
++TPM using tpm2_load.
++The object will need to be loaded before it may be used.
++.SH OPTIONS
++.PP
++These options for creating the tpm entity:
++.IP \[bu] 2
++\f[B]\-H\f[], \f[B]\-\-pparent\f[]=\f[I]PARENT_HANDLE\f[]: The handle of
++the parent object to create this object under.
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-context\-parent\f[]=\f[I]PARENT_CONTEXT_FILE\f[]:
++The filename for parent context.
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: The
++password for parent key, optional.
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.IP \[bu] 2
++\f[B]\-K\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: The password for
++key, optional.
++Follows the password formatting of the "password for parent key" option:
++\-P.
++.IP \[bu] 2
++\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]ALGORITHM\f[]: The hash algorithm
++to use.
++Algorithms should follow the " formatting standards, see section
++"Algorithm Specifiers".
++Also, see section "Supported Hash Algorithms" for a list of supported
++hash algorithms.
++.IP \[bu] 2
++\f[B]\-G\f[], \f[B]\-\-kalg\f[]=\f[I]KEY_ALGORITHM\f[]: The algorithm
++associated with this object.
++It accepts friendly names just like \-g option.
++See section "Supported Public Object Algorithms" for a list of supported
++object algorithms.
++.IP \[bu] 2
++\f[B]\-A\f[], \f[B]\-\-object\-attributes\f[]=\f[I]ATTRIBUTES\f[]: The
++object attributes, optional.
++Object attribytes follow the specifications as outlined in "object
++attribute specifiers".
++The default for created objects is:
++.RS 2
++.PP
++\f[C]TPMA_OBJECT_SIGN|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH\f[]
++.RE
++.IP \[bu] 2
++\f[B]\-I\f[], \f[B]\-\-in\-file\f[]=\f[I]FILE\f[]: The data file to be
++sealed, optional.
++If file is \-, read from stdin.
++When sealing data only the TPM_ALG_KEYEDHASH algorithm is allowed.
++.IP \[bu] 2
++\f[B]\-L\f[], \f[B]\-\-policy\-file\f[]=\f[I]POLICY_FILE\f[]: The input
++policy file, optional.
++.IP \[bu] 2
++\f[B]\-u\f[], \f[B]\-\-pubfile\f[]=\f[I]OUTPUT_PUBLIC_FILE\f[]: The
++output file which contains the public portion of the created object,
++optional.
++.IP \[bu] 2
++\f[B]\-r\f[], \f[B]\-\-privfile\f[]=\f[I]OUTPUT_PRIVATE_FILE\f[]: The
++output file which contains the sensitive portion of the object,
++optional.
++.IP \[bu] 2
++\f[B]\-S\f[],
++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
++Input session handle from a policy session for authorization.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH Supported Hash Algorithms
++.PP
++Supported hash algorithms are:
++.IP \[bu] 2
++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
++\f[B](default)\f[]
++.IP \[bu] 2
++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
++.IP \[bu] 2
++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
++.IP \[bu] 2
++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
++.IP \[bu] 2
++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Supported Public Object Algorithms
++.PP
++Supported public object algorithms are:
++.IP \[bu] 2
++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
++(\f[B]default\f[]).
++.IP \[bu] 2
++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
++.IP \[bu] 2
++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
++.IP \[bu] 2
++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Algorithm Specfiers
++.PP
++Options that take algorithms support "nice\-names".
++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
++from the Algorithm Name field and converting it to lower case.
++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
++.PP
++The algorithms can be found at:
++<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
++.SH Object Attributes
++.PP
++Object Attributes are used to control various properties of created
++objects.
++When specified as an option, either the raw bitfield mask or
++"nice\-names" may be used.
++The values can be found in Table 31 Part 2 of the TPM2.0 specification,
++which can be found here:
++.PP
++<https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf>
++.PP
++Nice names are calculated by taking the name field of table 31 and
++removing the prefix \f[B]TPMA_OBJECT_\f[] and lowercasing the result.
++Thus, \f[B]TPMA_OBJECT_FIXEDTPM\f[] becomes fixedtpm.
++Nice names can be joined using the bitwise or "|" symbol.
++.PP
++For instance, to set The fields \f[B]TPMA_OBJECT_FIXEDTPM\f[],
++\f[B]TPMA_OBJECT_NODA\f[], and \f[B]TPMA_OBJECT_SIGN\f[], the argument
++would be:
++.PP
++\f[B]fixedtpm|noda|sign\f[]
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_create\ \-H\ 0x81010001\ \-P\ abc123\ \-K\ def456\ \-g\ sha256\ \-G\ keyedhash\-I\ data.File\ \-o\ opu.File
++tpm2_create\ \-c\ parent.context\ \-P\ abc123\ \-K\ def456\ \-g\ sha256\ \-G\ keyedhash\ \-I\ data.File\ \-o\ opu.File
++tpm2_create\ \-H\ 0x81010001\ \-P\ 123abc\ \-K\ 456def\ \-X\ \-g\ sha256\ \-G\ keyedhash\ \-I\ data.File\ \-o\ opu.File
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_createpolicy.1 b/man/man1/tpm2_createpolicy.1
+new file mode 100644
+index 000000000000..355137e38852
+--- /dev/null
++++ b/man/man1/tpm2_createpolicy.1
+@@ -0,0 +1,186 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_createpolicy" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_createpolicy\f[](1) \- Creates simple assertion authorization
++policies based on multiple pcr indices values across multiple enabled
++banks.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_createpolicy\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_createpolicy\f[](1) \- Creates simple assertion authorization
++policies based on multiple pcr indices values across multiple enabled
++banks.
++It can then be used with object creation and or tools using the object.
++.SH OPTIONS
++.PP
++These options control creating the policy authorization session:
++.IP \[bu] 2
++\f[B]\-f\f[], \f[B]\-\-policy\-file\f[]=\f[I]POLICY_FILE\f[]: File to
++save the policy digest.
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-policy\-pcr\f[]: Identifies the PCR policy type
++for policy creation.
++.IP \[bu] 2
++\f[B]\-g\f[], \f[B]\-\-policy\-digest\-alg\f[]=\f[I]HASH_ALGORITHM\f[]:
++The hash algorithm used in computation of the policy digest.
++Algorithms should follow the "formatting standards, see section
++"Algorithm Specifiers".
++Also, see section "Supported Hash Algorithms" for a list of supported
++hash algorithms.
++.IP \[bu] 2
++\f[B]\-L\f[], \f[B]\-\-set\-list\f[]=\f[I]PCR_LIST\f[]: The list of pcr
++banks and selected PCRs\[aq] ids (0~23) for each bank.
++.IP \[bu] 2
++\f[B]\-F\f[], \f[B]\-\-pcr\-input\-file\f[]=\f[I]PCR_FILE\f[]: Optional
++Path or Name of the file containing expected pcr values for the
++specified index.
++Default is to read the current PCRs per the set list.
++.IP \[bu] 2
++\f[B]\-e\f[], \f[B]\-\-extend\-policy\-session\f[]: Retains the policy
++session at the end of operation.
++.IP \[bu] 2
++\f[B]\-a\f[], \f[B]\-\-auth\-policy\-session\f[]: Start a policy session
++of type \f[B]TPM_SE_POLICY\f[].
++Default without this option is \f[B]TPM_SE_TRIAL\f[].
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Supported Hash Algorithms
++.PP
++Supported hash algorithms are:
++.IP \[bu] 2
++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
++\f[B](default)\f[]
++.IP \[bu] 2
++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
++.IP \[bu] 2
++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
++.IP \[bu] 2
++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
++.IP \[bu] 2
++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Algorithm Specfiers
++.PP
++Options that take algorithms support "nice\-names".
++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
++from the Algorithm Name field and converting it to lower case.
++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
++.PP
++The algorithms can be found at:
++<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
++.SH EXAMPLES
++.PP
++Create a authorization policy tied to a specific PCR index:
++.PP
++\f[B]tpm2_createpolicy \-P \-L 0x4:0 \-f policy.file \-F pcr0.bin\f[]
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_createprimary.1 b/man/man1/tpm2_createprimary.1
+new file mode 100644
+index 000000000000..5a77fc162ef1
+--- /dev/null
++++ b/man/man1/tpm2_createprimary.1
+@@ -0,0 +1,273 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_createprimary" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_createprimary\f[](1) \- Create a primary key under a primary
++seed or a temporary primary key under the \f[B]TPM_RH_NULL\f[]
++hierarchy.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_createprimary\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_createprimary\f[](1) \- This command is used to create a
++Primary Object under one of the Primary Seeds or a Temporary Object
++under \f[B]TPM_RH_NULL\f[].
++The command uses a \f[B]TPM2B_PUBLIC\f[] as a template for the object to
++be created.
++The command will create and load a Primary Object.
++The sensitive area is not returned.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-H\f[], \f[B]\-\-hierarchy\f[]=\f[I]HIERARCHY\f[]: Specify the
++hierarchy under which the object is created.
++This will also dictate which authorization secret (if any) must be
++supplied.
++Supported options are:
++.RS 2
++.IP \[bu] 2
++\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[]
++.IP \[bu] 2
++\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[]
++.IP \[bu] 2
++\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[]
++.IP \[bu] 2
++\f[B]n\f[] for \f[B]TPM_RH_NULL\f[]
++.RE
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: Optional
++authorization string if authorization is required to create object under
++the specified hierarchy.
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.IP \[bu] 2
++\f[B]\-K\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: Optional
++authorization string for the newly created object.
++Follows the same password formating guidelines as the parent
++authorization string under the \-P option.
++.IP \[bu] 2
++\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]ALGORITHM\f[]: The hash algorithm
++to use.
++Algorithms should follow the " formatting standards, see section
++"Algorithm Specifiers".
++Also, see section "Supported Hash Algorithms" for a list of supported
++hash algorithms.
++.IP \[bu] 2
++\f[B]\-G\f[], \f[B]\-\-kalg\f[]=\f[I]KEY_ALGORITHM\f[]: Algorithm type
++for generated key.
++It supports friendly names like the \-g option.
++See section "Supported Public Object Algorithms" for a list of supported
++object algorithms.
++.IP \[bu] 2
++\f[B]\-C\f[], \f[B]\-\-context\f[]=\f[I]CONTEXT_FILE\f[]: An optional
++file used to store the object context returned.
++.IP \[bu] 2
++\f[B]\-L\f[], \f[B]\-\-policy\-file\f[]=\f[I]POLICY_FILE\f[]: An
++optional file input that contains the policy digest for policy based
++authorization of the object.
++.IP \[bu] 2
++\f[B]\-A\f[], \f[B]\-\-object\-attributes\f[]=\f[I]ATTRIBUTES\f[]: The
++object attributes, optional.
++Object attribytes follow the specifications as outlined in "object
++attribute specifiers".
++The default for created objects is:
++.RS 2
++.PP
++\f[C]TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH\f[]
++.RE
++.IP \[bu] 2
++\f[B]\-S\f[],
++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
++Input session handle from a policy session for authorization.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH Supported Hash Algorithms
++.PP
++Supported hash algorithms are:
++.IP \[bu] 2
++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
++\f[B](default)\f[]
++.IP \[bu] 2
++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
++.IP \[bu] 2
++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
++.IP \[bu] 2
++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
++.IP \[bu] 2
++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Supported Public Object Algorithms
++.PP
++Supported public object algorithms are:
++.IP \[bu] 2
++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
++(\f[B]default\f[]).
++.IP \[bu] 2
++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
++.IP \[bu] 2
++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
++.IP \[bu] 2
++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Algorithm Specfiers
++.PP
++Options that take algorithms support "nice\-names".
++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
++from the Algorithm Name field and converting it to lower case.
++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
++.PP
++The algorithms can be found at:
++<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
++.SH Object Attributes
++.PP
++Object Attributes are used to control various properties of created
++objects.
++When specified as an option, either the raw bitfield mask or
++"nice\-names" may be used.
++The values can be found in Table 31 Part 2 of the TPM2.0 specification,
++which can be found here:
++.PP
++<https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf>
++.PP
++Nice names are calculated by taking the name field of table 31 and
++removing the prefix \f[B]TPMA_OBJECT_\f[] and lowercasing the result.
++Thus, \f[B]TPMA_OBJECT_FIXEDTPM\f[] becomes fixedtpm.
++Nice names can be joined using the bitwise or "|" symbol.
++.PP
++For instance, to set The fields \f[B]TPMA_OBJECT_FIXEDTPM\f[],
++\f[B]TPMA_OBJECT_NODA\f[], and \f[B]TPMA_OBJECT_SIGN\f[], the argument
++would be:
++.PP
++\f[B]fixedtpm|noda|sign\f[]
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_createprimary\ \-H\ o\ \-g\ sha256\ \-G\ ecc\ \-C\ context.out
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_dictionarylockout.1 b/man/man1/tpm2_dictionarylockout.1
+new file mode 100644
+index 000000000000..d8e5be903645
+--- /dev/null
++++ b/man/man1/tpm2_dictionarylockout.1
+@@ -0,0 +1,155 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_dictionarylockout" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_dictionarylockout\f[](1) \- setup or clear
++dictionary\-attack\-lockout parameters.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_dictionarylockout\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_dictionarylockout\f[](1) \- setup dictionary\-attack\-lockout
++parameters or clear dictionary\-attack\-lockout state, if any passwd
++option is missing, assume NULL.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-s\f[], \f[B]\-\-setup\-parameters\f[]=\f[I]SETUP_PARAMETERS\f[]:
++specifies the tool should operate to setup dictionary\-attack\-lockout
++parameters.
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-clear\-lockout\f[]: specifies the tool should
++operate to clear dictionary\-attack\-lockout state.
++.IP \[bu] 2
++\f[B]\-l\f[], \f[B]\-lockout\-recovery\-time\f[]=\f[I]LOCKOUT_TIME\f[]:
++specifies the wait time in seconds before another TPM_RH_LOCKOUT
++authentication attempt can be made after a failed authentication.
++.IP \[bu] 2
++\f[B]\-t\f[], \f[B]\-\-recovery\-time\f[]=\f[I]RECOVERY_TIME\f[]:
++specifies the wait time in seconds before another DA\-protected\-object
++authentication attempt can be made after max\-tries number of failed
++authentications.
++.IP \[bu] 2
++\f[B]\-n\f[], \f[B]\-\-max\-tries\f[]=\f[I]MAX_TRYS\f[]: specifies the
++maximum number of allowed authentication attempts on
++DA\-protected\-object; after which DA is activated.
++.IP \[bu] 2
++\f[B]\-S\f[],
++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
++Input session handle from a policy session for authorization.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_dictionarylockout\ \-c\ \-p\ passwd
++tpm2_dictionarylockout\ \-s\ \-n\ 5\ \-t\ 6\ \-l\ 7\ \-p\ passwd
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_encryptdecrypt.1 b/man/man1/tpm2_encryptdecrypt.1
+new file mode 100644
+index 000000000000..39fa1ee57d12
+--- /dev/null
++++ b/man/man1/tpm2_encryptdecrypt.1
+@@ -0,0 +1,169 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_encryptdecrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_encryptdecrypt\f[](1) \- performs symmetric encryption or
++decryption.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_encryptdecrypt\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++tpm2_encryptdecrypt(1) \- performs symmetric encryption or decryption
++with a specified symmetric key.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]: the
++symmetric key used for the operation (encryption/decryption).
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]:
++filename of the key context used for the operation.
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: filename of the
++key context used for the operation.
++The password for parent key, optional.
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.IP \[bu] 2
++\f[B]\-D\f[], \f[B]\-\-decrypt\f[]: Perform a decrypt operation.
++Default is encryption.
++.IP \[bu] 2
++\f[B]\-I\f[], \f[B]\-\-in\-file\f[]=\f[I]INPUT_FILE\f[]: Input file path
++containing data for decrypt or encrypt operation.
++.IP \[bu] 2
++\f[B]\-S\f[],
++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
++Input session handle from a policy session for authorization.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_encryptdecrypt\ \-k\ 0x81010001\ \-P\ abc123\ \-D\ NO\ \-I\ <filePath>\ \-o\ <filePath>
++tpm2_encryptdecrypt\ \-c\ key.context\ \-P\ abc123\ \-D\ NO\ \-I\ <filePath>\ \-o\ <filePath>
++tpm2_encryptdecrypt\ \-k\ 0x81010001\ \-P\ 123abca\ \-X\ \-D\ NO\ \-I\ <filePath>\ \-o\ <filePath>
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_evictcontrol.1 b/man/man1/tpm2_evictcontrol.1
+new file mode 100644
+index 000000000000..37102a6fb634
+--- /dev/null
++++ b/man/man1/tpm2_evictcontrol.1
+@@ -0,0 +1,180 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_evictcontrol" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_evictcontrol\f[](1) \- Make a transient object persistent or
++evict a persistent object.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_evictcontrol\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_evictcontrol\f[](1) \- allows a transient object to be made
++persistent or a persistent object to be evicted.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-A\f[], \f[B]\-\-auth\f[]=\f[I]AUTH\f[]: The authorization used to
++authorize the commands.
++Valid choices are:
++.RS 2
++.IP \[bu] 2
++\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[]
++.IP \[bu] 2
++\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[]
++.RE
++.IP \[bu] 2
++\f[B]\-H\f[], \f[B]\-\-handle\f[]=\f[I]HANDLE\f[]: The handle of a
++loaded transient or a persistent object.
++.RS 2
++.PP
++If the handle is for a transient object, then a handle that will be
++assigned to the persisted object must also be specified with the
++\f[B]\-S\f[] option.
++.PP
++If the handle is for a persistent object, then the \f[B]\-S\f[] does not
++need to be provided since the handle must be the same for both options.
++.RE
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-context\f[]=\f[I]OBJECT_CONTEXT_FILE\f[]:
++Filename for object context.
++.IP \[bu] 2
++\f[B]\-S\f[], \f[B]\-\-persistent\f[]=\f[I]PERSISTENT_HANDLE\f[]: The
++persistent handle for the object handle specified via \f[I]HANDLE\f[].
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-pwda\f[]=\f[I]AUTH_PASSWORD\f[]: authorization
++password, optional.
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_evictcontrol\ \-A\ o\ \-c\ object.context\ \-S\ 0x81010002\ \-P\ abc123
++tpm2_evictcontrol\ \-A\ o\ \-H\ 0x81010002\ \-S\ 0x81010002\ \-P\ abc123
++tpm2_evictcontrol\ \-A\ o\ \-H\ 0x81010002\ \-S\ 0x81010002\ \-P\ 123abc
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_getcap.1 b/man/man1/tpm2_getcap.1
+new file mode 100644
+index 000000000000..c7547a52ef35
+--- /dev/null
++++ b/man/man1/tpm2_getcap.1
+@@ -0,0 +1,161 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_getcap" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_getcap\f[](1) \- Display TPM capabilities in a human readable
++form.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_getcap\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_getcap\f[](1) \- Query the TPM for it\[aq]s capabilities /
++properties and dump them to the console.
++This is a thin wrapper around the GetCapability command.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-capability\f[]=\f[I]CAPABILITY_NAME\f[]: The name
++of the capability group to query.
++Currently supported capability groups are:
++.RS 2
++.IP \[bu] 2
++properties\-fixed: Display fixed TPM properties.
++.IP \[bu] 2
++properties\-variable: Display variable TPM properties.
++.IP \[bu] 2
++algorithms: Display data about supported algorithms.
++.IP \[bu] 2
++commands: Display data about supported commands.
++.IP \[bu] 2
++ecc\-curves: Display data about elliptic curves.
++.IP \[bu] 2
++handles\-transient: Display handles about transient objects.
++.IP \[bu] 2
++handles\-persistent: Display handles about persistent objects.
++.IP \[bu] 2
++handles\-permanent: Display handles about permanent objects.
++.IP \[bu] 2
++handles\-pcr: Display handles about PCRs.
++.IP \[bu] 2
++handles\-nv\-index: Display handles about NV Indices.
++.IP \[bu] 2
++handles\-loaded\-session: Display handles about both loaded HMAC and
++policy sessions.
++.IP \[bu] 2
++handles\-saved\-session: Display handles about saved sessions.
++.RE
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_getcap\ \-\-capability="properties\-fixed"
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_getmanufec.1 b/man/man1/tpm2_getmanufec.1
+new file mode 100644
+index 000000000000..93b2a485c73e
+--- /dev/null
++++ b/man/man1/tpm2_getmanufec.1
+@@ -0,0 +1,225 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_getmanufec" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_getmanufec\f[](1) \- Retrieve the Endorsement Credential
++Certificate for the TPM endorsement key from the TPM manufacturer\[aq]s
++endorsement certificate hosting server.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_getmanufec\f[] [\f[I]OPTIONS\f[]] [\f[I]URL\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_getmanufec\f[](1) \- Retrieve the Endorsement Credential
++Certificate for the TPM endorsement key from the TPM manufacturer\[aq]s
++endorsement certificate hosting server.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-e\f[], \f[B]\-\-endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]:
++specifies current endorse password (string, optional,default:NULL).
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[]:
++specifies current owner password (string, optional,default:NULL).
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-ek\-passwd\f[]=\f[I]EK_PASSWORD\f[]: specifies
++the EK password when created (string,optional,default:NULL).
++.RS 2
++.PP
++Passwords should follow the password formatting standards, see section
++"Password Formatting".
++.RE
++.IP \[bu] 2
++\f[B]\-H\f[], \f[B]\-\-handle\f[]=\f[I]HANDLE\f[]: specifies the handle
++used to make EK persistent (hex).
++.IP \[bu] 2
++\f[B]\-g\f[], \f[B]\-\-alg\f[]=\f[I]ALGORITHM\f[]: specifies the
++algorithm type of EK.
++See section "Supported Public Object Algorithms" for a list of supported
++object algorithms.
++See section "Algorithm Specifiers" on how to specify an algorithm
++argument.
++.IP \[bu] 2
++\f[B]\-f\f[], \f[B]\-\-output\f[]=\f[I]FILE\f[]: Specifies the file used
++to save the public portion of EK.
++.IP \[bu] 2
++\f[B]\-N\f[], \f[B]\-\-non\-persistent\f[]: specifies to readout the EK
++public without making it persistent.
++.IP \[bu] 2
++\f[B]\-O\f[], \f[B]\-\-offline\f[]=\f[I]FILE\f[]: Specifies the file
++that contains an EK retrieved from offline platform that needs to be
++provisioned.
++.IP \[bu] 2
++\f[B]\-E\f[], \f[B]\-\-ec\-cert\f[]=\f[I]EC_CERT_FILE\f[]: Specifies the
++file used to save the Endorsement Credentials retrieved from the TPM
++manufacturer provisioning server.
++Defaults to stdout if not specified.
++.IP \[bu] 2
++\f[B]\-U\f[], \f[B]\-\-SSL_NO_VERIFY\f[]: specifies to attempt
++connecting with the TPM manufacturer provisioning server with
++SSL_NO_VERIFY option.
++.IP \[bu] 2
++\f[B]\-S\f[],
++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
++Input session handle from a policy session for authorization.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH Supported Public Object Algorithms
++.PP
++Supported public object algorithms are:
++.IP \[bu] 2
++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
++(\f[B]default\f[]).
++.IP \[bu] 2
++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
++.IP \[bu] 2
++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
++.IP \[bu] 2
++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Algorithm Specfiers
++.PP
++Options that take algorithms support "nice\-names".
++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
++from the Algorithm Name field and converting it to lower case.
++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
++.PP
++The algorithms can be found at:
++<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
++.SH NOTES
++.PP
++When the verbose option is specified, additional curl debugging
++information is provided by setting the curl mode verbose, see:
++<https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html> for more
++information.
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_getmanufec\ \-e\ abc123\ \-o\ abc123\ \-P\ passwd\ \-H\ 0x81010001\-g\ 0x01\ \-O\ \-N\ \-U\ \-E\ ECcert.bin\ \-f\ ek.bin\ https://tpm.manufacturer.com/ekcertserver/
++tpm2_getmanufec\ \-e\ 1a1b1c\ \-o\ 1a1b1c\ \-P\ 123abc\ \-H\ 0x81010001\-g\ 0x01\ \-O\ \-N\ \-U\ \-E\ ECcert.bin\ \-f\ ek.bin\ https://tpm.manufacturer.com/ekcertserver/
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_getpubak.1 b/man/man1/tpm2_getpubak.1
+new file mode 100644
+index 000000000000..32f9ca0222e9
+--- /dev/null
++++ b/man/man1/tpm2_getpubak.1
+@@ -0,0 +1,241 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_getpubak" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_getpubak\f[](1) \- Generate attestation key with given
++algorithm under the endorsement hierarchy.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_getpubak\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_getpubak\f[](1) \- Generate attestation key with given
++algorithm under endorsement hierarchy, make it persistent with given ak
++handle, and return pub AK and AK name.
++If any passwd option is missing, assume NULL.
++.PP
++The tool outputs to stdout a YAML representation of the loaded key
++handle as well as it\[aq]s name, for example:
++.IP
++.nf
++\f[C]
++loaded\-key:
++\ \ handle:\ 800000ff
++\ \ name:\ 000bac149518baa05540a0678bd9b624f8a98d042e46c60f4d098ba394d36fc49268
++\f[]
++.fi
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-e\f[], \f[B]\-\-endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]:
++Specifies current endorsement password, defaults to NULL.
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-ak\-passwd\f[]=\f[I]AK_PASSWORD\f[] Specifies the
++AK password when created, defaults to NULL.
++Same formatting as the endorse password value or \-e option.
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[]
++Specifies the current owner password, defaults to NULL.
++Same formatting as the endorse password value or \-e option.
++.IP \[bu] 2
++\f[B]\-E\f[], \f[B]\-\-ek\-handle\f[]=\f[I]EK_HANDLE\f[]: Specifies the
++handle used to make EK persistent.
++.IP \[bu] 2
++\f[B]\-k\f[], \f[B]\-\-ak\-handle\f[]=\f[I]AK_HANDLE\f[]: Specifies the
++handle used to make AK persistent.
++.IP \[bu] 2
++\f[B]\-g\f[], \f[B]\-\-alg\f[]=\f[I]ALGORITHM\f[]: Specifies the
++algorithm type of AK.
++Algorithms should follow the " formatting standards, see section
++"Algorithm Specifiers".
++See section "Supported Public Object Algorithms" for a list of supported
++object algorithms.
++.IP \[bu] 2
++\f[B]\-g\f[], \f[B]\-\-alg\f[]=\f[I]ALGORITHM\f[]: Like \-g, but
++specifies the algorithm of sign.
++See section "Supported Signing Algorithms" for details.
++.IP \[bu] 2
++\f[B]\-f\f[], \f[B]\-\-file\f[]=\f[I]FILE\f[]: Specifies the file used
++to save the public portion of AK.
++This will be a binary data structure corresponding to the TPM2B_PUBLIC
++struct in the specification.
++.IP \[bu] 2
++\f[B]\-n\f[], \f[B]\-\-ak\-name\f[]=\f[I]NAME\f[]: Specifies the file
++used to save the ak name, optional.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH Supported Signing Algorithms
++.PP
++Supported algorithms are:
++.IP \[bu] 2
++\f[B]0x5\f[] or \f[B]hmac\f[] for \f[B]TPM_ALG_HMAC\f[]
++\f[B](default)\f[]
++.IP \[bu] 2
++\f[B]0x14\f[] or \f[B]rsassa\f[] for \f[B]TPM_ALG_RSASSA\f[]
++.IP \[bu] 2
++\f[B]0x16\f[] or \f[B]rsapss\f[] for \f[B]TPM_ALG_RSAPSS\f[]
++.IP \[bu] 2
++\f[B]0x18\f[] or \f[B]ecdsa\f[] for \f[B]TPM_ALG_ECDSA\f[]
++.IP \[bu] 2
++\f[B]0x1A\f[] or \f[B]ecdaa\f[] for \f[B]TPM_ALG_ECDAA\f[]
++.IP \[bu] 2
++\f[B]0x1B\f[] or \f[B]sm2\f[] for \f[B]TPM_ALG_SM2\f[]
++.IP \[bu] 2
++\f[B]0x1C\f[] or \f[B]ecschnorr\f[] for \f[B]TPM_ALG_ECSCHNORR\f[]
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Supported Public Object Algorithms
++.PP
++Supported public object algorithms are:
++.IP \[bu] 2
++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
++(\f[B]default\f[]).
++.IP \[bu] 2
++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
++.IP \[bu] 2
++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
++.IP \[bu] 2
++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Algorithm Specfiers
++.PP
++Options that take algorithms support "nice\-names".
++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
++from the Algorithm Name field and converting it to lower case.
++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
++.PP
++The algorithms can be found at:
++<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_getpubak\ \-e\ abc123\ \-P\ abc123\ \-o\ passwd\ \-E\ 0x81010001\ \-k\ 0x81010002\ \-f\ ./ak.pub\ \-n\ ./ak.name
++tpm2_getpubak\ \-e\ 1a1b1c\ \-P\ 123abc\ \-o\ 1a1b1c\ \-X\ \-E\ 0x81010001\ \-k\ 0x81010002\ \-f\ ./ak.pub\ \-n\ ./ak.name
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_getpubek.1 b/man/man1/tpm2_getpubek.1
+new file mode 100644
+index 000000000000..1115b1095c6c
+--- /dev/null
++++ b/man/man1/tpm2_getpubek.1
+@@ -0,0 +1,189 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_getpubek" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_getpubek\f[](1) \- Generate TCG profile compliant endorsement
++key.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_getpubek\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_getpubek\f[](1) \- Generate TCG profile compliant endorsement
++key(endorsement hierarchy primary object), make it persistent with give
++ek handle, and return public EK, if any passwd option is missing, assume
++NULL.
++.PP
++Refer to:
++<http://www.trustedcomputinggroup.org/files/static_page_files/7CAA5687-1A4B-B294-D04080D058E86C5F>
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-e\f[], \f[B]\-\-endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]:
++Specifies current endorsement password, defaults to NULL.
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[]
++Specifies the current owner password, defaults to NULL.
++Same formatting as the endorse password value or \-e option.
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-eKPasswd\f[]=\f[I]EK_PASSWORD\f[] Specifies the
++EK password when created, defaults to NULL.
++Same formatting as the endorse password value or \-e option.
++.IP \[bu] 2
++\f[B]\-H\f[], \f[B]\-\-handle\f[]=\f[I]HANDLE\f[]: specifies the handle
++used to make EK persistent (hex).
++.IP \[bu] 2
++\f[B]\-g\f[], \f[B]\-\-alg\f[]=\f[I]ALGORITHM\f[]: specifies the
++algorithm type of EK.
++See section "Supported Public Object Algorithms" for a list of supported
++object algorithms.
++See section "Algorithm Specifiers" on how to specify an algorithm
++argument.
++.IP \[bu] 2
++\f[B]\-f\f[], \f[B]\-\-file\f[]=\f[I]FILE\f[]: specifies the file used
++to save the public portion of EK.
++This will be a binary data structure corresponding to the TPM2B_PUBLIC
++struct in the specification.
++.IP \[bu] 2
++\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION\f[]:
++Optional Input session handle from a policy session for authorization.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Supported Public Object Algorithms
++.PP
++Supported public object algorithms are:
++.IP \[bu] 2
++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
++(\f[B]default\f[]).
++.IP \[bu] 2
++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
++.IP \[bu] 2
++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
++.IP \[bu] 2
++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Algorithm Specfiers
++.PP
++Options that take algorithms support "nice\-names".
++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
++from the Algorithm Name field and converting it to lower case.
++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
++.PP
++The algorithms can be found at:
++<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_getpubek\ \-e\ abc123\ \-o\ abc123\ \-P\ passwd\ \-H\ 0x81010001\ \-g\ rsa\ \-f\ ek.pub
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_getrandom.1 b/man/man1/tpm2_getrandom.1
+new file mode 100644
+index 000000000000..1b345f3d43df
+--- /dev/null
++++ b/man/man1/tpm2_getrandom.1
+@@ -0,0 +1,144 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_getrandom" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_getrandom\f[](1) \- Retrieves random bytes from the TPM.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_getrandom\f[] [\f[I]OPTIONS\f[]] \f[I]SIZE\f[]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_getrandom\f[](1) \- Returns the next \f[I]SIZE\f[] octets from
++the random number generator.
++The \f[I]SIZE\f[] parameter is expected as the only argument to the
++tool.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-output\f[]=\f[I]FILE\f[] specifies the filename
++to output the raw bytes to.
++Defaults to stdout as a hex string.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH EXAMPLES
++.PP
++Generate a random 20 bytes and output the binary data to a file:
++.IP
++.nf
++\f[C]
++tpm2_getrandom\ \-o\ random.out\ 20
++\f[]
++.fi
++.PP
++Generate a random 8 bytes and output the hex formated data to stdout:
++.IP
++.nf
++\f[C]
++tpm2_getrandom\ 8
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_hash.1 b/man/man1/tpm2_hash.1
+new file mode 100644
+index 000000000000..5c18718ce893
+--- /dev/null
++++ b/man/man1/tpm2_hash.1
+@@ -0,0 +1,190 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_hash" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_hash\f[](1) \- Performs a hash operation with the TPM.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_hash\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_hash\f[](1) \- performs a hash operation on \f[I]FILE\f[] and
++returns the results.
++If \f[I]FILE\f[] is not specified, then data is read from stdin.
++If the results of the hash will be used in a signing operation that uses
++a restricted signing key, then the ticket returned by this command can
++indicate that the hash is safe to sign.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-H\f[], \f[B]\-\-hierarchy\f[]=\f[I]HIERARCHY\f[]: hierarchy to
++use for the ticket.
++Supported options are:
++.RS 2
++.IP \[bu] 2
++\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[]
++.IP \[bu] 2
++\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[]
++.IP \[bu] 2
++\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[]
++.IP \[bu] 2
++\f[B]n\f[] for \f[B]TPM_RH_NULL\f[]
++.RE
++.IP \[bu] 2
++\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]HASH_ALGORITHM\f[]: The hash
++algorithm to use.
++Algorithms should follow the "formatting standards, see section
++"Algorithm Specifiers".
++Also, see section "Supported Hash Algorithms" for a list of supported
++hash algorithms.
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-outfile\f[]=\f[I]OUT_FILE\f[] Optional file
++record of the hash result.
++Defaults to stdout in hex form.
++.IP \[bu] 2
++\f[B]\-t\f[], \f[B]\-\-ticket\f[]=\f[I]TICKET_FILE\f[] Optional file
++record of the ticket result.
++Defaults to stdout in hex form.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Supported Hash Algorithms
++.PP
++Supported hash algorithms are:
++.IP \[bu] 2
++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
++\f[B](default)\f[]
++.IP \[bu] 2
++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
++.IP \[bu] 2
++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
++.IP \[bu] 2
++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
++.IP \[bu] 2
++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Algorithm Specfiers
++.PP
++Options that take algorithms support "nice\-names".
++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
++from the Algorithm Name field and converting it to lower case.
++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
++.PP
++The algorithms can be found at:
++<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
++.SH EXAMPLES
++.PP
++Hash a file with sha1 hash algorithm and save the hash and ticket to a
++file:
++.IP
++.nf
++\f[C]
++tpm2_hash\ \-H\ e\ \-g\ sha1\ \-o\ hash.bin\ \-t\ ticket.bin\ data.txt
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_hmac.1 b/man/man1/tpm2_hmac.1
+new file mode 100644
+index 000000000000..fbb81f947f0d
+--- /dev/null
++++ b/man/man1/tpm2_hmac.1
+@@ -0,0 +1,214 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_hmac" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_hmac\f[](1) \- Performs an HMAC operation with the TPM.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_hmac\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_hmac\f[](1) \- performs an HMAC operation on \f[I]FILE\f[] and
++returns the results.
++If \f[I]FILE\f[] is not specified, then data is read from stdin.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_CONTEXT_FILE\f[]: The
++key handle for the symmetric signing key providing the HMAC key.
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: The
++filename of the key context used for the operation.
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: The password for
++key, optional.
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.IP \[bu] 2
++\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]HASH_ALGORITHM\f[]: The hash
++algorithm to use.
++Algorithms should follow the "formatting standards, see section
++"Algorithm Specifiers".
++Also, see section "Supported Hash Algorithms" for a list of supported
++hash algorithms.
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-outfile\f[]=\f[I]OUT_FILE\f[] Optional file
++record of the HMAC result.
++Defaults to stdout.
++.IP \[bu] 2
++\f[B]\-S\f[],
++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
++Input session handle from a policy session for authorization.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH Supported Hash Algorithms
++.PP
++Supported hash algorithms are:
++.IP \[bu] 2
++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
++\f[B](default)\f[]
++.IP \[bu] 2
++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
++.IP \[bu] 2
++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
++.IP \[bu] 2
++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
++.IP \[bu] 2
++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Algorithm Specfiers
++.PP
++Options that take algorithms support "nice\-names".
++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
++from the Algorithm Name field and converting it to lower case.
++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
++.PP
++The algorithms can be found at:
++<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
++.SH EXAMPLES
++.PP
++Perform a SHA1 HMAC on data.in and send output and possibly ticket to
++stdout:
++.IP
++.nf
++\f[C]
++tpm2_hmac\ \-k\ 0x81010002\ \-P\ abc123\ \-g\ sha1\ data.in
++\f[]
++.fi
++.PP
++Perform a SHA1 HMAC on data.in read as a file to stdin and send output
++to a file:
++.IP
++.nf
++\f[C]
++tpm2_hmac\ \-c\ key.context\ \-P\ abc123\ \-g\ sha1\ \-o\ hash.out\ <<\ data.in
++\f[]
++.fi
++.PP
++Perform a SHA256 HMAC on \f[I]stdin\f[] and send result and possibly
++ticket to stdout:
++.PP
++cat data.in | tpm2_hmac \-k 0x81010002 \-g sha256 \-o hash.out ```
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_listpersistent.1 b/man/man1/tpm2_listpersistent.1
+new file mode 100644
+index 000000000000..ba1e31e8c596
+--- /dev/null
++++ b/man/man1/tpm2_listpersistent.1
+@@ -0,0 +1,185 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_listpersistent" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_listpersistent\f[](1) \- Display all defined persistent
++objects.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_listpersistent\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_listpersistent\f[](1) \- display all defined persistent
++objects.
++.SH OPTIONS
++.PP
++These options for listing the persistent objects:
++.IP \[bu] 2
++\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]ALGORITHM\f[]: Only display
++persistent objects using this hash algorithm.
++Algorithms should follow the " formatting standards, see section
++"Algorithm Specifiers".
++Also, see section "Supported Hash Algorithms" for a list of supported
++hash algorithms.
++.IP \[bu] 2
++\f[B]\-G\f[], \f[B]\-\-kalg\f[]=\f[I]KEY_ALGORITHM\f[]: Only display
++persistent objects using this key algorithm.
++It accepts friendly names just like \f[B]\-g\f[] option.
++See section "Supported Public Object Algorithms" for a list of supported
++object algorithms.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Supported Hash Algorithms
++.PP
++Supported hash algorithms are:
++.IP \[bu] 2
++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
++\f[B](default)\f[]
++.IP \[bu] 2
++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
++.IP \[bu] 2
++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
++.IP \[bu] 2
++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
++.IP \[bu] 2
++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Supported Public Object Algorithms
++.PP
++Supported public object algorithms are:
++.IP \[bu] 2
++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
++(\f[B]default\f[]).
++.IP \[bu] 2
++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
++.IP \[bu] 2
++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
++.IP \[bu] 2
++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Algorithm Specfiers
++.PP
++Options that take algorithms support "nice\-names".
++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
++from the Algorithm Name field and converting it to lower case.
++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
++.PP
++The algorithms can be found at:
++<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_listpersistent
++tpm2_listpersistent\ \-g\ sha256\ \-G\ ecc
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_load.1 b/man/man1/tpm2_load.1
+new file mode 100644
+index 000000000000..20358a3a9dac
+--- /dev/null
++++ b/man/man1/tpm2_load.1
+@@ -0,0 +1,174 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_load" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_load\f[](1) \- Load an object into the TPM.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_load\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_load\f[](1) \- Load both the private and public portions of an
++object into the TPM.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-H\f[], \f[B]\-\-parent\f[]=\f[I]PARENT_HANDLE\f[]: The handle of
++the parent object.
++Either this option or \f[B]\-c\f[] must be used.
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-context\-parent\f[]=\f[I]PARENT_CONTEXT_FILE\f[]:
++The filename for parent context.
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: The
++password for parent key, optional.
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.IP \[bu] 2
++\f[B]\-u\f[], \f[B]\-\-pubfile\f[]=\f[I]PUBLIC_OBJECT_DATA_FILE\f[]: A
++file containing the public portion of the object.
++.IP \[bu] 2
++\f[B]\-r\f[], \f[B]\-\-privfile\f[]=\f[I]PRIVATE_OBJECT_DATA_FILE\f[]: A
++file containing the sensitive portion of the object.
++.IP \[bu] 2
++\f[B]\-n\f[], \f[B]\-\-name\f[]=\f[I]NAME_DATA_FILE\f[]: An optional
++file to save the name structure of the object.
++.IP \[bu] 2
++\f[B]\-C\f[], \f[B]\-\-context\f[]=\f[I]CONTEXT_FILE\f[]: An optional
++file to save the object context to.
++.IP \[bu] 2
++\f[B]\-S\f[],
++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
++Input session handle from a policy session for authorization.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_load\ \ \-H\ 0x80000000\ \-P\ abc123\ \-u\ <pubKeyFileName>\ \-r\ <privKeyFileName>\ \-n\ <outPutFileName>
++tpm2_load\ \ \-c\ parent.context\ \-P\ abc123\ \-u\ <pubKeyFileName>\ \-r\ <privKeyFileName>\ \-n\ <outPutFileName>\ \-C\ object.context
++tpm2_load\ \ \-H\ 0x80000000\ \-P\ "hex:123abc"\ \-u\ <pubKeyFileName>\ \-r\ <privKeyFileName>\ \-n\ <outPutFileName>
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_loadexternal.1 b/man/man1/tpm2_loadexternal.1
+new file mode 100644
+index 000000000000..b4be6d9a2892
+--- /dev/null
++++ b/man/man1/tpm2_loadexternal.1
+@@ -0,0 +1,166 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_loadexternal" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_loadexternal\f[](1) \- load an object that is not a Protected
++Object into the TPM.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_loadexternal\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_loadexternal\f[](1) \- load an object that is not a Protected
++Object into the TPM.
++The command allows loading of a public area or both a public and a
++sensitive area.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-H\f[], \f[B]\-\-hierarchy\f[]=\f[I]HIERARCHY\f[]: hierarchy to
++use for the ticket.
++Supported options are:
++.RS 2
++.IP \[bu] 2
++\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[]
++.IP \[bu] 2
++\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[]
++.IP \[bu] 2
++\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[]
++.IP \[bu] 2
++\f[B]n\f[] for \f[B]TPM_RH_NULL\f[]
++.RE
++.IP \[bu] 2
++\f[B]\-u\f[], \f[B]\-\-pubfile\f[]=\f[I]PUBLIC_FILE\f[]: The public
++portion of the object.
++.IP \[bu] 2
++\f[B]\-r\f[], \f[B]\-\-privfile\f[]=\f[I]PRIVATE_FILE\f[]: The sensitive
++portion of the object, optional.
++.IP \[bu] 2
++\f[B]\-C\f[], \f[B]\-\-context\f[]=\f[I]CONTEXT_FILE\f[] The file to
++save the object context, optional.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH EXAMPLES
++.PP
++Load a public area generated by tpm2_create, tpm2_readpublic or manually
++.IP
++.nf
++\f[C]
++tpm2_loadexternal\ \-H\ <e|o|p|n>\ \-u\ <pubKeyFileName>\ \-C\ object.context
++\f[]
++.fi
++.PP
++Load a key with sensitive area.
++Both the public & the senstive areas shall be generated externally.
++\f[I]DON\[aq]T\f[] use the areas generated by tpm2_create.
++.IP
++.nf
++\f[C]
++tpm2_loadexternal\ \-H\ n\ \-u\ <pubKeyFileName>\ \-r\ <privKeyFileName>\ \-C\ object.context
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_makecredential.1 b/man/man1/tpm2_makecredential.1
+new file mode 100644
+index 000000000000..90cae8c0ecb1
+--- /dev/null
++++ b/man/man1/tpm2_makecredential.1
+@@ -0,0 +1,142 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_makecredential" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_makecredential\f[](1) \- load an object that is not a
++Protected Object into the TPM.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_makecredential\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_makecredential\f[](1) \- Use a TPM public key to protect a
++secret that is used to encrypt the AK certififcate.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-e\f[], \f[B]\-\-enckey\f[]=\f[I]PUBLIC_FILE\f[]: A tpm Public Key
++which was used to wrap the seed.
++.IP \[bu] 2
++\f[B]\-s\f[], \f[B]\-\-sec\f[]=\f[I]SECRET_DATA_FILE\f[]: The secret
++which will be protected by the key derived from the random seed.
++.IP \[bu] 2
++\f[B]\-n\f[], \f[B]\-\-name\f[]=\f[I]NAME\f[] The name of the key for
++which certificate is to be created.
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUT_FILE\f[] The output file
++path, recording the two structures output by tpm2_makecredential
++function.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_makecredential\ \-e\ <keyFile>\ \-s\ <secFile>\ \-n\ <hexString>\ \-o\ <outFile>
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_nvdefine.1 b/man/man1/tpm2_nvdefine.1
+new file mode 100644
+index 000000000000..95c8c84be731
+--- /dev/null
++++ b/man/man1/tpm2_nvdefine.1
+@@ -0,0 +1,203 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_nvdefine" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_nvdefine\f[](1) \- define a TPM Non\-Volatile (NV) index.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_nvdefine\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_nvdefine\f[](1) \- Define NV index with given auth value.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index
++to define the space at.
++.IP \[bu] 2
++\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]:
++specifies the handle used to authorize:
++.RS 2
++.IP \[bu] 2
++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[]
++.IP \[bu] 2
++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[]
++.RE
++.IP \[bu] 2
++\f[B]\-s\f[], \f[B]\-\-size\f[]=\f[I]SIZE\f[]: specifies the size of
++data area in bytes.
++Defaults to MAX_NV_INDEX_SIZE which is typically 2048.
++.IP \[bu] 2
++\f[B]\-t\f[], \f[B]\-\-attributes\f[]=\f[I]ATTRIBUTES\f[] Specifies the
++attribute values for the nv region used when creating the entitiy.
++Either the raw bitfield mask or "nice\-names" may be used.
++See section "NV Attributes" for more details.
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]:
++specifies the password of authHandle.
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.IP \[bu] 2
++\f[B]\-I\f[], \f[B]\-\-index\-passwd\f[]=\f[I]INDEX_PASSWORD\f[]:
++specifies the password of NV Index when created.
++Follows the same formatting guidelines as the handle password or \-P
++option.
++.IP \[bu] 2
++\f[B]\-L\f[], \f[B]\-\-policy\-file\f[]=\f[I]POLICY_FILE\f[]: Specifies
++the policy digest file for policy based authorizations.
++.IP \[bu] 2
++\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]:
++Optional Input session handle from a policy session for authorization.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH NV Attributes
++.PP
++NV Attributes are used to control various properties of the NV defined
++space.
++When specified as an option, either the raw bitfield mask or
++"nice\-names" may be used.
++The values can be found in Table 204 Part 2 of the TPM2.0 specification,
++which can be found here:
++.PP
++<https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf>
++.PP
++Nice names are calculated by taking the name field of table 204 and
++removing the prefix \f[B]TPMA_NV_\f[] and lowercasing the result.
++Thus, \f[B]TPMA_NV_PPWRITE\f[] becomes ppwrite.
++Nice names can be joined using the bitwise or "|" symbol.
++.PP
++Note that the \f[B]TPM_NT\f[] field is 4 bits wide, and thus can be set
++via \f[B]nt=\f[] format.
++For instance, to set The fields \f[B]TPMA_NV_OWNERREAD\f[],
++\f[B]TPMA_NV_OWNERWRITE\f[], \f[B]TPMA_NV_POLICYWRITE\f[], and
++\f[B]TPMA_NT = 0x3\f[], the argument would be:
++.PP
++\f[B]ownerread|ownerwrite|policywrite|nt=0x3\f[] # Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_nvdefine\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32\ \-t\ 0x2000A
++tpm2_nvdefine\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32\ \-t\ ownerread|ownerwrite|policywrite\ \-I\ 1a1b1c
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_nvlist.1 b/man/man1/tpm2_nvlist.1
+new file mode 100644
+index 000000000000..ac8c5dec8743
+--- /dev/null
++++ b/man/man1/tpm2_nvlist.1
+@@ -0,0 +1,192 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_nvlist" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_nvlist\f[](1) \- display all defined Non\-Volatile (NV)s
++indices.
++.SS SYNOPSIS
++.PP
++\f[B]tpm2_nvlist\f[] [\f[I]OPTIONS\f[]]
++.SS DESCRIPTION
++.PP
++\f[B]tpm2_nvlist\f[](1) \- display all defined Non\-Volatile (NV)s
++indices to stdout in a YAML format.
++.PP
++Display metadata for all defined NV indices.
++Metadata includes:
++.IP \[bu] 2
++The size of the defined region.
++.IP \[bu] 2
++The hash algorithm used to compute the name of the index.
++.IP \[bu] 2
++The auth policy.
++.IP \[bu] 2
++The NV attributes as defined in section "NV Attributes".
++.PP
++Example Output:
++.IP
++.nf
++\f[C]
++0x1500015:
++\ \ hash\ algorithm:
++\ \ \ \ friendly:\ sha256
++\ \ \ \ value:\ 0xB
++\ \ attributes:
++\ \ \ \ friendly:\ ownerwrite|ownerread
++\ \ \ \ value:\ 0x2000200
++\ \ size:\ 32
++\ \ authorization\ policy:
++
++0x1500017:
++\ \ hash\ algorithm:
++\ \ \ \ friendly:\ sha256
++\ \ \ \ value:\ 0xB
++\ \ attributes:
++\ \ \ \ friendly:\ ownerwrite|ownerread
++\ \ \ \ value:\ 0x2000200
++\ \ size:\ 32
++\ \ authorization\ policy:
++\f[]
++.fi
++.SH OPTIONS
++.PP
++This tool takes no tool specific options.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH NV Attributes
++.PP
++NV Attributes are used to control various properties of the NV defined
++space.
++When specified as an option, either the raw bitfield mask or
++"nice\-names" may be used.
++The values can be found in Table 204 Part 2 of the TPM2.0 specification,
++which can be found here:
++.PP
++<https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf>
++.PP
++Nice names are calculated by taking the name field of table 204 and
++removing the prefix \f[B]TPMA_NV_\f[] and lowercasing the result.
++Thus, \f[B]TPMA_NV_PPWRITE\f[] becomes ppwrite.
++Nice names can be joined using the bitwise or "|" symbol.
++.PP
++Note that the \f[B]TPM_NT\f[] field is 4 bits wide, and thus can be set
++via \f[B]nt=\f[] format.
++For instance, to set The fields \f[B]TPMA_NV_OWNERREAD\f[],
++\f[B]TPMA_NV_OWNERWRITE\f[], \f[B]TPMA_NV_POLICYWRITE\f[], and
++\f[B]TPMA_NT = 0x3\f[], the argument would be:
++.PP
++\f[B]ownerread|ownerwrite|policywrite|nt=0x3\f[] # EXAMPLES
++.PP
++To list the defined NV indeces to stdout:
++.IP
++.nf
++\f[C]
++tpm2_nvlist
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_nvread.1 b/man/man1/tpm2_nvread.1
+new file mode 100644
+index 000000000000..59025e755dd0
+--- /dev/null
++++ b/man/man1/tpm2_nvread.1
+@@ -0,0 +1,193 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_nvread" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_nvread\f[](1) \- Read the data stored in a Non\-Volatile (NV)s
++index.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_nvread\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_nvread\f[](1) \- Read the data stored in a Non\-Volatile (NV)s
++index.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index
++to define the space at.
++.IP \[bu] 2
++\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]:
++specifies the handle used to authorize:
++.RS 2
++.IP \[bu] 2
++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[]
++.IP \[bu] 2
++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[]
++.RE
++.IP \[bu] 2
++\f[B]\-f\f[], \f[B]\-\-output\f[]=\f[I]FILE\f[]: file to write data
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]:
++specifies the password of authHandle.
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.IP \[bu] 2
++\f[B]\-s\f[], \f[B]\-\-size\f[]=\f[I]SIZE\f[]: Specifies the size of
++data to be read in bytes, starting from 0 if offset is not specified.
++If not specified, the size of the data as reported by the public portion
++of the index will be used.
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-offset\f[]=\f[I]OFFSET\f[]: The offset within the
++NV index to start reading from.
++.IP \[bu] 2
++\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]:
++Optional Input session handle from a policy session for authorization.
++.IP \[bu] 2
++\f[B]\-L\f[], \f[B]\-\-set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]:
++.RS 2
++.PP
++The list of pcr banks and selected PCRs\[aq] ids.
++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers
++standards, see section "PCR Bank Specfiers".
++.RE
++.IP \[bu] 2
++\f[B]\-F\f[],**\-\-pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[]
++.RS 2
++.PP
++Optional Path or Name of the file containing expected pcr values for the
++specified index.
++Default is to read the current PCRs per the set list.
++.RE
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH EXAMPLES
++.PP
++To read 32 bytes from an index starting at offset 0:
++.IP
++.nf
++\f[C]
++tpm2_nvread\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_nvreadlock.1 b/man/man1/tpm2_nvreadlock.1
+new file mode 100644
+index 000000000000..3dcb5c9e51fc
+--- /dev/null
++++ b/man/man1/tpm2_nvreadlock.1
+@@ -0,0 +1,168 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_nvreadlock" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_nvreadlock\f[](1) \- lock the Non\-Volatile (NV) index for
++further reads.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_nvreadlock\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_nvreadlock\f[](1) \- lock the Non\-Volatile (NV) index for
++further reads.
++The index is released on subsequent restart of the machine.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index
++to define the space at.
++.IP \[bu] 2
++\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]:
++specifies the handle used to authorize:
++.RS 2
++.IP \[bu] 2
++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[]
++.IP \[bu] 2
++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[]
++.RE
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]:
++specifies the password of authHandle.
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.IP \[bu] 2
++\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]:
++Optional Input session handle from a policy session for authorization.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH EXAMPLES
++.PP
++To lock an index protected by a password:
++.IP
++.nf
++\f[C]
++tpm2_nvreadlock\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-P\ passwd
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_nvrelease.1 b/man/man1/tpm2_nvrelease.1
+new file mode 100644
+index 000000000000..be984d747144
+--- /dev/null
++++ b/man/man1/tpm2_nvrelease.1
+@@ -0,0 +1,167 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_nvrelease" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_nvrelease\f[](1) \- Release a Non\-Volatile (NV) index.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_nvrelease\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_nvrelease\f[](1) \- Release a Non\-Volatile (NV) index that
++was previously defined with tpm2_nvdefine(1).
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index
++to release.
++.IP \[bu] 2
++\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]:
++specifies the handle used to authorize:
++.RS 2
++.IP \[bu] 2
++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[]
++.IP \[bu] 2
++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[]
++.RE
++.IP \[bu] 2
++\f[B]\-s\f[], \f[B]\-\-size\f[]=\f[I]SIZE\f[]: specifies the size of
++data area in bytes.
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]:
++specifies the password of authHandle.
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.IP \[bu] 2
++\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]:
++Optional Input session handle from a policy session for authorization.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_nvrelease\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-P\ passwd
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_nvwrite.1 b/man/man1/tpm2_nvwrite.1
+new file mode 100644
+index 000000000000..8f69e026d49f
+--- /dev/null
++++ b/man/man1/tpm2_nvwrite.1
+@@ -0,0 +1,186 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_nvwrite" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_nvwrite\f[](1) \- Write data to a Non\-Volatile (NV) index.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_nvwrite\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_nvwrite\f[](1) \- Write data specified via \f[I]FILE\f[] to a
++Non\-Volatile (NV) index.
++If \f[I]FILE\f[] is not specified, it defaults to stdout.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index
++to define the space at.
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-offset\f[]=\f[I]OFFSET\f[]: The offset within the
++NV index to start writing at.
++.IP \[bu] 2
++\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]:
++specifies the handle used to authorize:
++.RS 2
++.IP \[bu] 2
++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[]
++.IP \[bu] 2
++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[]
++.RE
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]:
++specifies the password of authHandle.
++Passwords should follow the "password formatting standards, see section
++"Password Formatting".
++.IP \[bu] 2
++\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]:
++Optional Input session handle from a policy session for authorization.
++.IP \[bu] 2
++\f[B]\-L\f[], \f[B]\-\-set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]:
++.RS 2
++.PP
++The list of pcr banks and selected PCRs\[aq] ids.
++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers
++standards, see section "PCR Bank Specfiers".
++.RE
++.IP \[bu] 2
++\f[B]\-F\f[],**\-\-pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[]
++.RS 2
++.PP
++Optional Path or Name of the file containing expected pcr values for the
++specified index.
++Default is to read the current PCRs per the set list.
++.RE
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH EXAMPLES
++.PP
++To write the file nv.data to index 0x150016:
++.IP
++.nf
++\f[C]
++tpm2_nvwrite\ \-x\ 0x1500016\ \-a\ 0x40000001\ nv.data
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_pcrevent.1 b/man/man1/tpm2_pcrevent.1
+new file mode 100644
+index 000000000000..1359d00dbc6d
+--- /dev/null
++++ b/man/man1/tpm2_pcrevent.1
+@@ -0,0 +1,162 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_pcrevent" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_pcrevent\f[](1) \- hashes a file and optionally extends a pcr.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_pcrevent\f[] [\f[I]OPTIONS\f[]] [\f[I]FILE\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_pcrevent\f[](1) hashes \f[I]FILE\f[] if specified or stdin.
++It uses all of the hashing algorithms that the tpm supports.
++Optionally, if a pcr index is specified, it extends that pcr for all
++supported algorithms with the hash digest.
++In either case, it outputs to stdout the hash algorithm used and the
++digest value, one per line:
++.PP
++\f[I]alg\f[]:\f[I]digest\f[]
++.PP
++Where \f[I]alg\f[] is the algorithm used (eg.
++sha1) and \f[I]digest\f[] is the digest resulting from the hash
++computation of \f[I]alg\f[] on the data.
++.PP
++See sections 23.1 and sections 17 of the TPM2.0
++Specification (https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf)
++.SH OPTIONS
++.PP
++These options control extending the pcr:
++.IP \[bu] 2
++\f[B]\-i\f[], \f[B]\-\-pcr\-index\f[]=\f[I]INDEX\f[]: Not only compute
++the hash digests on \f[I]FILE\f[], also extend the pcr given by
++\f[I]INDEX\f[] for all supported hash algorithms.
++.IP \[bu] 2
++\f[B]\-S\f[],
++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Use
++\f[I]SESSION_HANDLE\f[] for providing an authorization session for the
++pcr specified by \f[I]INDEX\f[].
++It is an error to specify \f[B]\-S\f[] without specifying a pcr index
++with \f[B]\-i\f[].
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-password\f[]=\f[I]PASSWORD\f[]: Use
++\f[I]PASSWORD\f[] for providing an authorization value for the pcr
++specified in \f[I]INDEX\f[].
++It is an error to specify \f[B]\-P\f[] without specifying a pcr index
++with \f[B]\-i\f[].
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH EXAMPLES
++.PP
++Hash a file:
++.PP
++tpm2_pcrevent data
++.PP
++Hash a file and extend pcr 8:
++.PP
++tpm2_pcrevent \-i 8 data
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_pcrextend.1 b/man/man1/tpm2_pcrextend.1
+new file mode 100644
+index 000000000000..5a4a232907f6
+--- /dev/null
++++ b/man/man1/tpm2_pcrextend.1
+@@ -0,0 +1,178 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_pcrextend" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_pcrextend\f[](1) \- Extends a PCR.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_pcrextend\f[] [\f[I]OPTIONS\f[]] [\f[I]PCR_DIGEST_SPEC\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_pcrextend\f[](1) Extends the pcrs with values indicated by
++\f[I]PCR_DIGEST_SPEC\f[].
++.PP
++A \f[I]PCR_DIGEST_SPEC\f[] is defined as follows:
++.IP \[bu] 2
++A numerical pcr identifier.
++.IP \[bu] 2
++A colon followed by the algorithm hash specification.
++The algorithm hash specification is as follows:
++.RS 2
++.IP \[bu] 2
++The algorithm friendly name or raw numerical.
++.IP \[bu] 2
++An equals sign.
++.IP \[bu] 2
++The hex hash value.
++.RE
++.PP
++Example Digest Specification:
++.IP
++.nf
++\f[C]
++4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
++\f[]
++.fi
++.PP
++\f[B]Note\f[]: that multiple specifications of PCR and hash are allowed.
++Multiple hashes cause the pcr to be extended with both hashes.
++Multiple same PCR values cause the PCR to be extended multiple times.
++Extension is done in order from left to right as specified.
++At most 5 hash extensions per PCR entry are supported.
++This is to keep the parser simple.
++.SH OPTIONS
++.PP
++This tool accepts no tool specific options.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH EXAMPLES
++.PP
++Extend PCR 4\[aq]s SHA1 bank with a hash:
++.IP
++.nf
++\f[C]
++tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
++\f[]
++.fi
++.PP
++Extend PCR 4\[aq]s SHA1 and SHA256 banks with hashes:
++.IP
++.nf
++\f[C]
++tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15,sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
++\f[]
++.fi
++.PP
++Extend PCR 4\[aq]s SHA1 and PCR 7\[aq]s SHA256 bank with hashes:
++.IP
++.nf
++\f[C]
++tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15\ 7:sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_pcrlist.1 b/man/man1/tpm2_pcrlist.1
+new file mode 100644
+index 000000000000..fb9a329da20b
+--- /dev/null
++++ b/man/man1/tpm2_pcrlist.1
+@@ -0,0 +1,246 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_pcrlist" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_pcrlist\f[](1) \- List PCR values.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_pcrlist\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_pcrlist\f[](1) Displays PCR values.
++Without any options, \f[B]tpm2_pcrlist\f[] outputs all pcrs and their
++hash banks.
++One can use either the \f[B]\-g\f[] or \f[B]\-L\f[] mutually exclusive
++options to filter the output.
++.PP
++Output is writtien in a YAML format to stdout, with each algorithm
++followed by a PCR index and its value.
++As a simple example assume just sha1 and sha256 support and only 1 PCR.
++The output would be:
++.IP
++.nf
++\f[C]
++sha1\ :
++\ \ 0\ \ :\ 0000000000000000000000000000000000000003
++sha256\ :
++\ \ 0\ \ :\ 0000000000000000000000000000000000000000000000000000000000000003
++\f[]
++.fi
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-g\f[], \f[B]\-\-algorithm\f[]=\f[I]HASH_ALGORITHM\f[]: Only
++output PCR banks with the given algorithm.
++Algorithms should follow the "formatting standards, see section
++"Algorithm Specifiers".
++Also, see section "Supported Hash Algorithms" for a list of supported
++hash algorithms.
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-output\f[]=\f[I]FILE\f[]: The output file to
++write the PCR values in binary format, optional.
++.IP \[bu] 2
++\f[B]\-L\f[], \f[B]\-\-sel\-list\f[]=\f[I]PCR_SELECTION_LIST\f[]:
++.RS 2
++.PP
++The list of pcr banks and selected PCRs\[aq] ids for each bank to
++display.
++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers
++standards, see section "PCR Bank Specfiers".
++.RE
++.IP \[bu] 2
++\f[B]\-s\f[], \f[B]\-\-algs\f[]: Output the list of supported
++algorithms.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH PCR Bank Specfiers
++.PP
++PCR Bank Selection lists follow the below specification:
++.IP
++.nf
++\f[C]
++<BANK>:<PCR>[,<PCR>]
++\f[]
++.fi
++.PP
++multiple banks may be separated by \[aq]+\[aq].
++.PP
++For example:
++.IP
++.nf
++\f[C]
++sha:3,4+sha256:5,6
++\f[]
++.fi
++.PP
++will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
++SHA256 bank.
++.SS Note
++.PP
++PCR Selections allow for up to 5 hash to pcr selection mappings.
++This is a limitaion in design in the single call to the tpm to get the
++pcr values.
++.SH Supported Hash Algorithms
++.PP
++Supported hash algorithms are:
++.IP \[bu] 2
++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
++\f[B](default)\f[]
++.IP \[bu] 2
++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
++.IP \[bu] 2
++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
++.IP \[bu] 2
++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
++.IP \[bu] 2
++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Algorithm Specfiers
++.PP
++Options that take algorithms support "nice\-names".
++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
++from the Algorithm Name field and converting it to lower case.
++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
++.PP
++The algorithms can be found at:
++<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
++.SH EXAMPLES
++.PP
++display all PCR values:
++.IP
++.nf
++\f[C]
++tpm2_pcrlist
++\f[]
++.fi
++.PP
++Display the PCR values with a specified bank:
++.IP
++.nf
++\f[C]
++tpm2_pcrlist\ \-g\ sha1
++\f[]
++.fi
++.PP
++Display the PCR values with specified banks and store in a file:
++.IP
++.nf
++\f[C]
++tpm2_pcrlist\ \-L\ sha1:16,17,18+sha256:16,17,18\ \-o\ pcrs
++\f[]
++.fi
++.PP
++Display the supported PCR bank algorithms and exit:
++.IP
++.nf
++\f[C]
++tpm2_pcrlist\ \-s
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_quote.1 b/man/man1/tpm2_quote.1
+new file mode 100644
+index 000000000000..3d49cb84dbce
+--- /dev/null
++++ b/man/man1/tpm2_quote.1
+@@ -0,0 +1,255 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_quote" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_quote\f[](1) \- Provide a quote and signature from the TPM.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_quote\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_quote\f[](1) Provide quote and signature for given list of
++PCRs in given algorithm/banks.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-k\f[], \f[B]\-\-ak\-handle\f[]=\f[I]AK_HANDLE\f[]:
++.RS 2
++.PP
++Handle of existing AK.
++.RE
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-ak\-context\f[]=\f[I]AK_CONTEXT_FILE\f[]:
++.RS 2
++.PP
++Filename for the existing AK\[aq]s context.
++.RE
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-ak\-password\f[]=\f[I]AK_PASSWORD\f[]:
++.RS 2
++.PP
++specifies the password of \f[I]AK_HANDLE\f[].
++Passwords should follow the password formatting standards, see section
++"Password Formatting".
++.RE
++.IP \[bu] 2
++\f[B]\-l\f[], \f[B]\-\-id\-list\f[]=\f[I]PCR_ID_LIST\f[]
++.RS 2
++.PP
++The comma separated list of selected PCRs\[aq] ids, 0~23 e.g.
++"4,5,6".
++.RE
++.IP \[bu] 2
++\f[B]\-L\f[], \f[B]\-\-sel\-list\f[]=\f[I]PCR_SELECTION_LIST\f[]:
++.RS 2
++.PP
++The list of pcr banks and selected PCRs\[aq] ids for each bank.
++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers
++standards, see section "PCR Bank Specfiers".
++.RE
++.IP \[bu] 2
++\f[B]\-m\f[], \f[B]\-\-message\f[]:
++.RS 2
++.PP
++message output file, records the quote message that makes up the data
++that is signed by the TPM.
++.RE
++.IP \[bu] 2
++\f[B]\-s\f[], \f[B]\-\-signature\f[]:
++.RS 2
++.PP
++signature output file, records the signature in the format specified via
++the \f[B]\-f\f[] option.
++.RE
++.IP \[bu] 2
++\f[B]\-f\f[], \f[B]\-\-format\f[]
++.RS 2
++.PP
++Format selection for the signature output file.
++See section "Signature Format Specifiers".
++.RE
++.IP \[bu] 2
++\f[B]\-q\f[], \f[B]\-\-qualify\-data\f[]:
++.RS 2
++.PP
++Data given as a Hex string to qualify the quote, optional.
++This is typically used to add a nonce against replay attacks.
++.RE
++.IP \[bu] 2
++\f[B]\-S\f[],
++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional
++Input session handle from a policy session for authorization.
++.IP \[bu] 2
++\f[B]\-G\f[], \f[B]\-\-sig\-hash\-algorithm\f[]:
++.RS 2
++.PP
++Hash algorithm for signature.
++.RE
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH PCR Bank Specfiers
++.PP
++PCR Bank Selection lists follow the below specification:
++.IP
++.nf
++\f[C]
++<BANK>:<PCR>[,<PCR>]
++\f[]
++.fi
++.PP
++multiple banks may be separated by \[aq]+\[aq].
++.PP
++For example:
++.IP
++.nf
++\f[C]
++sha:3,4+sha256:5,6
++\f[]
++.fi
++.PP
++will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
++SHA256 bank.
++.SS Note
++.PP
++PCR Selections allow for up to 5 hash to pcr selection mappings.
++This is a limitaion in design in the single call to the tpm to get the
++pcr values.
++.SH Signature Format Specifiers
++.PP
++Format selection for the signature output file.
++\f[B]tss\f[] (the default) will output a binary blob according to the
++TPM 2.0 specification and any potential compiler padding.
++The option \f[B]plain\f[] will output the plain signature data as
++defined by the used cryptographic algorithm.
++# EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_quote\ \-k\ 0x81010002\ \-P\ abc123\ \-g\ sha1\ \-l\ 16,17,18
++tpm2_quote\ \-c\ ak.context\ \-P\ "str:abc123"\ \-g\ sha1\ \-l\ 16,17,18
++tpm2_quote\ \-k\ 0x81010002\ \-g\ sha1\ \-l\ 16,17,18
++tpm2_quote\ \-c\ ak.context\ \-g\ sha1\ \-l\ 16,17,18
++tpm2_quote\ \-k\ 0x81010002\ \-P\ "hex:123abc"\ \-L\ sha1:16,17,18+sha256:16,17,18\ \-q\ 11aa22bb
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_rc_decode.1 b/man/man1/tpm2_rc_decode.1
+new file mode 100644
+index 000000000000..492eea90607c
+--- /dev/null
++++ b/man/man1/tpm2_rc_decode.1
+@@ -0,0 +1,132 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_rc_decode" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_rc_decode\f[](1) \- Decode TPM2 error codes to human readable
++format.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_rc_decode\f[] [\f[I]OPTIONS\f[]] \f[I]RC_CODE\f[]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_rc_decode\f[](1) converts \f[I]RC_CODE\f[] originating from
++the SAPI and TCTI into human readable errors.
++Analogous to strerror(3), but for the tpm2 stack.
++.SH OPTIONS
++.PP
++This tool takes no tool specific options.
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_rc_decode\ 0x100
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_readpublic.1 b/man/man1/tpm2_readpublic.1
+new file mode 100644
+index 000000000000..ccc8c4010af1
+--- /dev/null
++++ b/man/man1/tpm2_readpublic.1
+@@ -0,0 +1,155 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_readpublic" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_readpublic\f[](1) \- Read the public area of a loaded object.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_readpublic\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_readpublic\f[](1) Reads the public area of a loaded object.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-H\f[], \f[B]\-\-object\f[]=\f[I]HANDLE\f[]:
++.RS 2
++.PP
++The loaded object handle to read the public data of.
++.RE
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-ak\-context\f[]=\f[I]OBJECT_CONTEXT_FILE\f[]:
++.RS 2
++.PP
++Filename for object context.
++.RE
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-opu\f[]:
++.RS 2
++.PP
++The output file path, recording the public portion of the object.
++.RE
++.IP \[bu] 2
++\f[B]\-f\f[], \f[B]\-\-format\f[]:
++.RS 2
++.PP
++Format selection for the public key output file.
++\[aq]tss\[aq] (the default) will output a binary blob according to the
++TPM 2.0 secification.
++\[aq]pem\[aq] will output an OpenSSL compatible PEM encoded public key.
++\[aq]der\[aq] will output an OpenSSL compatible DER encoded public key.
++.RE
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_readpublic\ \-H\ 0x81010002\ \-\-opu\ output.dat
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_rsadecrypt.1 b/man/man1/tpm2_rsadecrypt.1
+new file mode 100644
+index 000000000000..dede7d971717
+--- /dev/null
++++ b/man/man1/tpm2_rsadecrypt.1
+@@ -0,0 +1,191 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_rsadecrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_rsadecrypt\f[](1) \- Performs an RSA Decryption operation
++using the TPM.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_tpm2_rsadecrypt\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_rsadecrypt\f[](1) performs RSA decryption using the indicated
++padding scheme according to IETF RFC 3447 (PKCS#1).
++The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[].
++.PP
++The key referenced by keyHandle is \f[B]required\f[] to be:
++.IP "1." 3
++an RSA key
++.IP "2." 3
++Have the attribute \f[I]decrypt\f[] \f[B]SET\f[] in it\[aq]s attributes.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]:
++.RS 2
++.PP
++the public portion of RSA key to use for decryption.
++.RE
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]:
++.RS 2
++.PP
++filename of the key context used for the operation.
++.RE
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]:
++.RS 2
++.PP
++specifies the password of \f[I]KEY_HANDLE\f[].
++Passwords should follow the password formatting standards, see section
++"Password Formatting".
++.RE
++.IP \[bu] 2
++\f[B]\-I\f[], \f[B]\-\-in\-file\f[]=\f[I]INPUT\f[]:
++.RS 2
++.PP
++Input file path, containing the data to be decrypted.
++.RE
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUTPUT_FILE\f[]:
++.RS 2
++.PP
++Output file path, record the decrypted data.
++.RE
++.IP \[bu] 2
++\f[B]\-S\f[],
++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]:
++.RS 2
++.PP
++Optional Input session handle from a policy session for authorization.
++.RE
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_rsadecrypt\ \-k\ 0x81010001\ \-I\ encrypted.in\ \-o\ plain.out
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_rsaencrypt.1 b/man/man1/tpm2_rsaencrypt.1
+new file mode 100644
+index 000000000000..29e2bcd7e9df
+--- /dev/null
++++ b/man/man1/tpm2_rsaencrypt.1
+@@ -0,0 +1,188 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_rsaencrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_rsaencrypt\f[](1) \- Performs an RSA Encryption operation
++using the TPM.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_rsaencrypt\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_rsaencrypt\f[](1) performs RSA encryption on the contents of
++\f[I]FILE\f[] (defaulting to stdin) using the indicated padding scheme
++according to IETF RFC 3447 (PKCS#1).
++The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[].
++.PP
++The key referenced by keyHandle is \f[B]required\f[] to be:
++.IP "1." 3
++an RSA key
++.IP "2." 3
++Have the attribute \f[I]decrypt\f[] \f[B]SET\f[] in it\[aq]s attributes.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]:
++.RS 2
++.PP
++the public portion of RSA key to use for encryption.
++.RE
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]:
++.RS 2
++.PP
++filename of the key context used for the operation.
++.RE
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]:
++.RS 2
++.PP
++specifies the password of \f[I]KEY_HANDLE\f[].
++Passwords should follow the password formatting standards, see section
++"Password Formatting".
++.RE
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUTPUT_FILE\f[]:
++.RS 2
++.PP
++Output file path, record the decrypted data.
++The default is to print an xxd compatible hexdump to stdout.
++If a file is specified, raw binary output is performed.
++.RE
++.IP \[bu] 2
++\f[B]\-S\f[],
++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]:
++.RS 2
++.PP
++Optional Input session handle from a policy session for authorization.
++.RE
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_rsaencrypt\ \-k\ 0x81010001\ \-I\ plain.in\ \-o\ encrypted.out
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_send.1 b/man/man1/tpm2_send.1
+new file mode 100644
+index 000000000000..193b66d101b7
+--- /dev/null
++++ b/man/man1/tpm2_send.1
+@@ -0,0 +1,154 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_send" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_send\f[](1) \- Send a raw command buffer to the TPM.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_send\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_send\f[](1) Sends a TPM command to the TPM.
++The command is read from a file as a binary stream and transmitted to
++the TPM using the TCTI specified by the caller.
++The response received from the TPM is written to the output file.
++.PP
++Likely the caller will want to redirect this to a file or into a program
++to decode and display the response in a human readable form.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-i\f[], \f[B]\-\-input\f[]=\f[I]INPUT\f[]:
++.RS 2
++.PP
++Input file to read a command buffer from.
++Defaults to stdin.
++.RE
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUTPUT_FILE\f[]:
++.RS 2
++.PP
++Output file to send response buffer to.
++Defaults to stdout.
++.RE
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH EXAMPLES
++.PP
++Send the contents of tpm2\-command.bin to a device and collect the
++response as tpm2\-response.bin.
++All examples of below accomplish this task.
++.IP
++.nf
++\f[C]
++tpm2_send\ \-\-tcti=device\ <\ tpm2\-command.bin\ >\ tpm2\-response.bin
++tpm2_send\ \-\-tcti=device\ \-i\ tpm2\-command.bin\ >\ tpm2\-response.bin
++tpm2_send\ \-\-tcti=device\ <\ tpm2\-command.bin\ \-o\ tpm2\-response.bin
++tpm2_send\ \-\-tcti=device\ \-i\ tpm2\-command.bin\ \-o\ tpm2\-response.bin
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_sign.1 b/man/man1/tpm2_sign.1
+new file mode 100644
+index 000000000000..67e079619fba
+--- /dev/null
++++ b/man/man1/tpm2_sign.1
+@@ -0,0 +1,245 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_sign" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_sign\f[](1) \- Sign a hash using the TPM.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_sign\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_sign\f[](1) signs an externally provided hash with the
++specified symmetric or asymmetric signing key.
++If keyHandle references a restricted signing key, then validation shall
++be provided, indicating that the TPM performed the hash of the data and
++validation shall indicate that hashed data did not start with
++\f[B]TPM_GENERATED_VALUE\f[].
++The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[].
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]:
++.RS 2
++.PP
++Handle of key that will perform signing.
++.RE
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]:
++.RS 2
++.PP
++Filename of the key context used for the operation.
++.RE
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]:
++.RS 2
++.PP
++Specifies the password of \f[I]KEY_HANDLE\f[].
++Passwords should follow the password formatting standards, see section
++"Password Formatting".
++.RE
++.IP \[bu] 2
++\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]HASH_ALGORITHM\f[]:
++.RS 2
++.PP
++The hash algorithm used to digest the message.
++Algorithms should follow the "formatting standards, see section
++"Algorithm Specifiers".
++Also, see section "Supported Hash Algorithms" for a list of supported
++hash algorithms.
++.RE
++.IP \[bu] 2
++\f[B]\-m\f[], \f[B]\-\-msg\f[]=\f[I]MSG_FILE\f[]:
++.RS 2
++.PP
++The message file, containing the content to be digested.
++.RE
++.IP \[bu] 2
++\f[B]\-t\f[], \f[B]\-\-ticket\f[]=\f[I]TICKET_FILE\f[]:
++.RS 2
++.PP
++The ticket file, containning the validation structure, optional.
++.RE
++.IP \[bu] 2
++\f[B]\-s\f[], \f[B]\-\-sig\f[]=\f[I]TICKET_FILE\f[]:
++.RS 2
++.PP
++The signature file, records the signature structure.
++.RE
++.IP \[bu] 2
++\f[B]\-f\f[], \f[B]\-\-format\f[]
++.RS 2
++.PP
++Format selection for the signature output file.
++See section "Signature Format Specifiers".
++.RE
++.IP \[bu] 2
++\f[B]\-S\f[],
++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]:
++.RS 2
++.PP
++Optional Input session handle from a policy session for authorization.
++.RE
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH Supported Hash Algorithms
++.PP
++Supported hash algorithms are:
++.IP \[bu] 2
++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
++\f[B](default)\f[]
++.IP \[bu] 2
++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
++.IP \[bu] 2
++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
++.IP \[bu] 2
++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
++.IP \[bu] 2
++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Algorithm Specfiers
++.PP
++Options that take algorithms support "nice\-names".
++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
++from the Algorithm Name field and converting it to lower case.
++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
++.PP
++The algorithms can be found at:
++<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
++.SH Signature Format Specifiers
++.PP
++Format selection for the signature output file.
++\f[B]tss\f[] (the default) will output a binary blob according to the
++TPM 2.0 specification and any potential compiler padding.
++The option \f[B]plain\f[] will output the plain signature data as
++defined by the used cryptographic algorithm.
++# EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_sign\ \-k\ 0x81010001\ \-P\ abc123\ \-g\ sha256\ \-m\ <filePath>\ \-s\ <filePath>\ \-t\ <filePath>
++tpm2_sign\ \-c\ key.context\ \-P\ abc123\ \-g\ sha256\ \-m\ <filePath>\ \-s\ <filePath>\ \-t\ <filePath>
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_startup.1 b/man/man1/tpm2_startup.1
+new file mode 100644
+index 000000000000..ca40b6bceb79
+--- /dev/null
++++ b/man/man1/tpm2_startup.1
+@@ -0,0 +1,139 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_startup" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_startup\f[](1) \- Send a startup command to the TPM.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_startup\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_startup\f[](1) Send a \f[B]TPM2_Startup\f[] command with
++either \f[B]TPM_SU_CLEAR\f[] or \f[B]TPM_SU_STATE\f[].
++.PP
++\f[B]NOTE\f[]: Typically a Resource Manager or low\-level/boot software
++will have already sent this command.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-clear\f[]:
++.RS 2
++.PP
++Startup type sent will be \f[B]TPM_SU_CLEAR\f[] instead of
++\f[B]TPM2_SU_STATE\f[].
++.RE
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_startup
++tpm2_startup\ \-c
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_takeownership.1 b/man/man1/tpm2_takeownership.1
+new file mode 100644
+index 000000000000..aee0bc7d4ced
+--- /dev/null
++++ b/man/man1/tpm2_takeownership.1
+@@ -0,0 +1,220 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_takeownership" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_takeownership\f[](1) \- Insert authorization values for the
++owner, endorsement and lockout authorizations.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_takeownership\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_takeownership\f[](1) \- performs a hash operation on
++\f[I]FILE\f[] and returns the results.
++If \f[I]FILE\f[] is not specified, then data is read from stdin.
++If the results of the hash will be used in a signing operation that uses
++a restricted signing key, then the ticket returned by this command can
++indicate that the hash is safe to sign.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-owner\-password\f[]=\f[I]OWNER_PASSWORD\f[]: The
++new owner authorization value.
++.RS 2
++.PP
++Passwords should follow the password formatting standards, see section
++"Password Formatting".
++.RE
++.IP \[bu] 2
++\f[B]\-e\f[], \f[B]\-\-endorse\-password\f[]=\f[I]ENDORSE_PASSWORD\f[]:
++.RS 2
++.PP
++The new endorse authorization value.
++Passwords should follow the same formatting requirements as the \-o
++option.
++.RE
++.IP \[bu] 2
++\f[B]\-l\f[], \f[B]\-\-lockout\-password\f[]=\f[I]LOCKOUT_PASSWORD\f[]:
++.RS 2
++.PP
++The new lockout authorization value.
++.PP
++The new endorse authorization value.
++Passwords should follow the same formatting requirements as the \-o
++option.
++.RE
++.IP \[bu] 2
++\f[B]\-O\f[],
++\f[B]\-\-old\-ownerPassword\f[]=\f[I]OLD_OWNER_PASSWORD\f[]:
++.RS 2
++.PP
++The old owner authorization value.
++Passwords should follow the same formatting requirements as the \-o
++option.
++.RE
++.IP \[bu] 2
++\f[B]\-E\f[],
++\f[B]\-\-old\-endorsePassword\f[]=\f[I]OLD_ENDORSE_PASSWORD\f[]:
++.RS 2
++.PP
++The old endorse authorization value.
++Passwords should follow the same formatting requirements as the \-o
++option.
++.RE
++.IP \[bu] 2
++\f[B]\-L\f[],
++\f[B]\-\-old\-lockoutPassword\f[]=\f[I]OLD_LOCKOUT_PASSWORD\f[]:
++.RS 2
++.PP
++The old lockout authorization value.
++Passwords should follow the same formatting requirements as the \-o
++option.
++.RE
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-clear\f[]:
++.RS 2
++.PP
++Clears the 3 authorizations values with lockout auth, thus one must
++specify \-L.
++.RE
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH EXAMPLES
++.PP
++Set owner, endorsement and lockout authorizations to an empty auth
++value:
++.IP
++.nf
++\f[C]
++tpm2_takeownership\ \-c\ \-L\ oldlockoutpasswd
++\f[]
++.fi
++.PP
++Set owner, endorsement and lockout authorizations to a new value:
++.IP
++.nf
++\f[C]
++tpm2_takeownership\ \-o\ newo\ \-e\ newe\ \-l\ newl\ \-O\ oldo\ \-E\ olde\ \-L\ oldl
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_unseal.1 b/man/man1/tpm2_unseal.1
+new file mode 100644
+index 000000000000..81a3b6696b7a
+--- /dev/null
++++ b/man/man1/tpm2_unseal.1
+@@ -0,0 +1,232 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_unseal" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_unseal\f[](1) \- Returns the data in a loaded Sealed Data
++Object.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_unseal\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_unseal\f[](1) \- \-returns the data in a loaded Sealed Data
++Object.
++.PP
++\f[B]NOTE\f[]: The \f[B]\-\-set\-list\f[] and
++\f[B]\-\-pcr\-input\-file\f[] options should only be used for simple PCR
++authentication policies.
++For more complex policies the tools should be ran in an execution
++environment that keeps the session context alive and pass that session
++using the \f[B]\-\-input\-session\-handle\f[] option.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-H\f[], \f[B]\-\-item\f[]=\f[I]ITEM_HANDLE\f[]:
++.RS 2
++.PP
++Item handle of loaded object.
++.RE
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-item\-context\f[]=\f[I]ITEM_CONTEXT_FILE\f[]:
++.RS 2
++.PP
++Filename of the item context.
++.RE
++.IP \[bu] 2
++\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]:
++.RS 2
++.PP
++Specifies the password of \f[I]ITEM_HANDLE\f[].
++Passwords should follow the password formatting standards, see section
++"Password Formatting".
++.RE
++.IP \[bu] 2
++\f[B]\-o\f[], \f[B]\-\-outfile\f[]=\f[I]OUT_FILE\f[]:
++.RS 2
++.PP
++Output file name, containing the unsealed data.
++Defaults to stdout if not specified.
++.RE
++.IP \[bu] 2
++\f[B]\-S\f[],
++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]:
++.RS 2
++.PP
++Optional Input session handle from a policy session for authorization.
++.RE
++.IP \[bu] 2
++\f[B]\-L\f[], \f[B]\-\-set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]:
++.RS 2
++.PP
++The list of pcr banks and selected PCRs\[aq] ids.
++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers
++standards, see section "PCR Bank Specfiers".
++.RE
++.IP \[bu] 2
++\f[B]\-F\f[],**\-\-pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[]
++.RS 2
++.PP
++Optional Path or Name of the file containing expected pcr values for the
++specified index.
++Default is to read the current PCRs per the set list.
++.RE
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH PCR Bank Specfiers
++.PP
++PCR Bank Selection lists follow the below specification:
++.IP
++.nf
++\f[C]
++<BANK>:<PCR>[,<PCR>]
++\f[]
++.fi
++.PP
++multiple banks may be separated by \[aq]+\[aq].
++.PP
++For example:
++.IP
++.nf
++\f[C]
++sha:3,4+sha256:5,6
++\f[]
++.fi
++.PP
++will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
++SHA256 bank.
++.SS Note
++.PP
++PCR Selections allow for up to 5 hash to pcr selection mappings.
++This is a limitaion in design in the single call to the tpm to get the
++pcr values.
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_unseal\ \-H\ 0x81010001\ \-P\ abc123\ \-o\ out.dat
++tpm2_unseal\ \-c\ item.context\ \-P\ abc123\ \-o\ out.dat
++tpm2_unseal\ \-H\ 0x81010001\ \-P\ "hex:123abc"\ \-o\ out.dat
++tpm2_unseal\ \-c\ item.context\ \-L\ sha1:0,1,2\ \-F\ out.dat
++\f[]
++.fi
++.SH RETURNS
++.PP
++0 on success or 1 on failure.
++.SH BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.SH HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+diff --git a/man/man1/tpm2_verifysignature.1 b/man/man1/tpm2_verifysignature.1
+new file mode 100644
+index 000000000000..ed047386d4f8
+--- /dev/null
++++ b/man/man1/tpm2_verifysignature.1
+@@ -0,0 +1,244 @@
++.\" Automatically generated by Pandoc 1.19.1
++.\"
++.TH "tpm2_verifysignature" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual"
++.hy
++.SH NAME
++.PP
++\f[B]tpm2_verifysignature\f[](1) \- Validates a signature using the TPM.
++.SH SYNOPSIS
++.PP
++\f[B]tpm2_verifysignature\f[] [\f[I]OPTIONS\f[]]
++.SH DESCRIPTION
++.PP
++\f[B]tpm2_verifysignature\f[](1) uses loaded keys to validate a
++signature on a message with the message digest passed to the TPM.
++If the signature check succeeds, then the TPM will produce a
++\f[B]TPMT_TK_VERIFIED\f[].
++Otherwise, the TPM shall return \f[B]TPM_RC_SIGNATURE\f[].
++If \f[I]KEY_HANDLE\f[] references an asymmetric key, only the public
++portion of the key needs to be loaded.
++If \f[I]KEY_HANDLE\f[] references a symmetric key, both the public and
++private portions need to be loaded.
++.SH OPTIONS
++.IP \[bu] 2
++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]:
++.RS 2
++.PP
++Handle of key that will used in the validation.
++.RE
++.IP \[bu] 2
++\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]:
++.RS 2
++.PP
++Filename of the key context used for the operation.
++.RE
++.IP \[bu] 2
++\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]HASH_ALGORITHM\f[]:
++.RS 2
++.PP
++The hash algorithm used to digest the message.
++Algorithms should follow the "formatting standards, see section
++"Algorithm Specifiers".
++Also, see section "Supported Hash Algorithms" for a list of supported
++hash algorithms.
++.RE
++.IP \[bu] 2
++\f[B]\-m\f[], \f[B]\-\-msg\f[]=\f[I]MSG_FILE\f[]:
++.RS 2
++.PP
++The message file, containing the content to be digested.
++.RE
++.IP \[bu] 2
++\f[B]\-D\f[], \f[B]\-\-digest\f[]=\f[I]DIGEST_FILE\f[]:
++.RS 2
++.PP
++The input hash file, containing the hash of the message.
++If this option is selected, then the message (\f[B]\-m\f[]) and
++algorithm (\f[B]\-g\f[]) options do not need to be specified.
++.RE
++.IP \[bu] 2
++\f[B]\-s\f[], \f[B]\-\-sig\f[]=\f[I]SIG_FILE\f[]:
++.RS 2
++.PP
++The input signature file of the signature to be validated.
++.RE
++.IP \[bu] 2
++\f[B]\-r\f[], \f[B]\-\-raw\f[]:
++.RS 2
++.PP
++Set the input signature file to raw type.
++The default is TPMT_SIGNATURE.
++.RE
++.IP \[bu] 2
++\f[B]\-t\f[], \f[B]\-\-ticket\f[]=\f[I]TICKET_FILE\f[]:
++.RS 2
++.PP
++The ticket file to record the validation structure.
++.RE
++.IP \[bu] 2
++\f[B]\-S\f[],
++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]:
++.RS 2
++.PP
++Optional Input session handle from a policy session for authorization.
++.RE
++.SH COMMON OPTIONS
++.PP
++This collection of options are common to many programs and provide
++information that many users may expect.
++.IP \[bu] 2
++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage.
++This requires the manpages to be installed or on \f[I]MANPATH\f[], See
++man(1) for more details.
++.IP \[bu] 2
++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
++tool, supported tctis and exit.
++.IP \[bu] 2
++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the
++tool prints to the console during its execution.
++When using this option the file and line number are printed.
++.IP \[bu] 2
++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout.
++.IP \[bu] 2
++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of
++errata fixups.
++Useful if an errata fixup needs to be applied to commands sent to the
++TPM.
++# TCTI ENVIRONMENT
++.PP
++This collection of environment variables that may be used to configure
++the various TCTI modules available.
++.PP
++The values passed through these variables can be overridden on a
++per\-command basis using the available command line options, see the
++\f[I]TCTI_OPTIONS\f[] section.
++.PP
++The variables respected depend on how the software was configured.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication
++with the next component down the TSS stack.
++In most configurations this will be the TPM but it could be a simulator
++or proxy.
++The current known TCTIs are:
++.RS 2
++.IP \[bu] 2
++tabrmd \- The new resource manager, called
++tabrmd (https://github.com/01org/tpm2-abrmd).
++.IP \[bu] 2
++socket \- Typically used with the old resource manager, or talking
++directly to a simulator.
++.IP \[bu] 2
++device \- Used when talking directly to a TPM device file.
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the
++TPM device file.
++The default is "/dev/tpm0".
++.RS 2
++.PP
++Note: Using the tpm directly requires the users to ensure that
++concurrent access does not occur and that they manage the tpm resources.
++These tasks are usually managed by a resource manager.
++Linux 4.12 and greater supports an in kernel resource manager at
++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0".
++.RE
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify
++the domain name or IP address used.
++The default is 127.0.0.1.
++.IP \[bu] 2
++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the
++port number used.
++The default is 2321.
++.SH TCTI OPTIONS
++.PP
++This collection of options are used to configure the varous TCTI modules
++available.
++They override any environment variables.
++.IP \[bu] 2
++\f[B]\-T\f[],
++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]:
++Select the TCTI used for communication with the next component down the
++TSS stack.
++In most configurations this will be the resource manager:
++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific
++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to
++\f[I]TCTI_NAME\f[].
++.RS 2
++.IP \[bu] 2
++For the device TCTI, the TPM device file for use by the device TCTI can
++be specified.
++The default is /dev/tpm0.
++Example: \f[B]\-T device:/dev/tpm0\f[]
++.IP \[bu] 2
++For the socket TCTI, the domain name or IP address and port number used
++by the socket can be specified.
++The default are 127.0.0.1 and 2321.
++Example: \f[B]\-T socket:127.0.0.1:2321\f[]
++.IP \[bu] 2
++For the abrmd TCTI, it takes no options.
++Example: \f[B]\-T abrmd\f[]
++.RE
++.SH Password Formatting
++.PP
++Passwords are interpreted in two forms, string and hex\-string.
++A string password is not interpreted, and is directly used for
++authorization.
++A hex\-string, is converted from a hexidecimal form into a byte array
++form, thus allowing passwords with non\-printable and/or terminal
++un\-friendly characters.
++.PP
++By default passwords are assumed to be in the string form.
++Password form is specified with special prefix values, they are:
++.IP \[bu] 2
++str: \- Used to indicate it is a raw string.
++Useful for escaping a password that starts with the "hex:" prefix.
++.IP \[bu] 2
++hex: \- Used when specifying a password in hex string format.
++.SH Supported Hash Algorithms
++.PP
++Supported hash algorithms are:
++.IP \[bu] 2
++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[]
++\f[B](default)\f[]
++.IP \[bu] 2
++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[]
++.IP \[bu] 2
++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[]
++.IP \[bu] 2
++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[]
++.IP \[bu] 2
++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[]
++.PP
++\f[B]NOTE\f[]: Your TPM may not support all algorithms.
++.SH Algorithm Specfiers
++.PP
++Options that take algorithms support "nice\-names".
++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4.
++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[]
++from the Algorithm Name field and converting it to lower case.
++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[].
++.PP
++The algorithms can be found at:
++<https://trustedcomputinggroup.org/wp-content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
++.SH EXAMPLES
++.IP
++.nf
++\f[C]
++tpm2_verifysignature\ \-k\ 0x81010001\ \-g\ sha256\ \-m\ <filePath>\ \-s\ <filePath>\ \-t\ <filePath>
++tpm2_verifysignature\ \-k\ 0x81010001\ \-D\ <filePath>\ \-s\ <filePath>\ \-t\ <filePath>
++tpm2_verifysignature\ \-c\ key.context\ \-g\ sha256\ \-m\ <filePath>\ \-s\ <filePath>\ \-t\ <filePath>
++\f[]
++.fi
++.PP
++RETURNS
++.PP
++0 on success or 1 on failure.
++.PP
++BUGS
++.PP
++Github Issues (https://github.com/01org/tpm2-tools/issues)
++.PP
++HELP
++.PP
++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
+-- 
+2.14.3
+
diff --git a/SOURCES/autoconf-fixup.patch b/SOURCES/autoconf-fixup.patch
new file mode 100644
index 0000000..1ff90e8
--- /dev/null
+++ b/SOURCES/autoconf-fixup.patch
@@ -0,0 +1,10 @@
+diff -urN tpm2-tools-3.0.1/configure.ac tpm2-tools-3.0.1-new/configure.ac
+--- tpm2-tools-3.0.1/configure.ac	2017-12-08 11:19:47.000000000 -0700
++++ tpm2-tools-3.0.1-new/configure.ac	2017-12-15 10:01:43.128340107 -0700
+@@ -1,5 +1,4 @@
+-AC_INIT([tpm2-tools],
+-    [m4_esyscmd_s([git describe --tags --always --dirty])])
++AC_INIT([tpm2-tools],[3.0.1])
+ AC_CONFIG_MACRO_DIR([m4])
+ AC_PROG_CC
+ LT_INIT
diff --git a/SOURCES/ekservaddr.patch b/SOURCES/ekservaddr.patch
deleted file mode 100644
index 496e180..0000000
--- a/SOURCES/ekservaddr.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp
---- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp	2017-04-05 11:26:04.740073304 -0700
-+++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp	2017-04-05 11:26:53.973845213 -0700
-@@ -615,8 +615,7 @@
-                 printf("TPM Manufacturer Endorsement Credential Server Address cannot be NULL\n");
-                 return -99;
-             }
--            EKserverAddr = (char *)malloc(strlen(optarg));
--            strncpy(EKserverAddr, optarg, strlen(optarg));
-+            EKserverAddr = strdup(optarg);
-             printf("TPM Manufacturer EK provisioning address -- %s\n", EKserverAddr);
-             break;
-         default:
diff --git a/SOURCES/fix-resource-leak-InitSysContext.patch b/SOURCES/fix-resource-leak-InitSysContext.patch
deleted file mode 100644
index e5dcf61..0000000
--- a/SOURCES/fix-resource-leak-InitSysContext.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff -ur tpm2.0-tools-1.1.0/src/syscontext.c tpm2.0-tools-1.1.0-new/src/syscontext.c
---- tpm2.0-tools-1.1.0/src/syscontext.c	2016-11-04 07:13:32.000000000 -0700
-+++ tpm2.0-tools-1.1.0-new/src/syscontext.c	2017-04-04 22:46:07.365948473 -0700
-@@ -59,8 +59,10 @@
- 
-         if( rval == TSS2_RC_SUCCESS )
-             return sysContext;
--        else
-+        else {
-+	    free(sysContext);
-             return 0;
-+	}
-     }
-     else
-     {
diff --git a/SOURCES/max-nv-buffer.patch b/SOURCES/max-nv-buffer.patch
new file mode 100644
index 0000000..aebdf94
--- /dev/null
+++ b/SOURCES/max-nv-buffer.patch
@@ -0,0 +1,28 @@
+diff -urN tpm2-tools-3.0.1/tools/tpm2_nvread.c tpm2-tools-3.0.1-new/tools/tpm2_nvread.c
+--- tpm2-tools-3.0.1/tools/tpm2_nvread.c	2017-12-11 08:34:01.000000000 -0700
++++ tpm2-tools-3.0.1-new/tools/tpm2_nvread.c	2017-12-15 18:08:18.361935382 -0700
+@@ -120,6 +120,10 @@
+         return false;
+     }
+ 
++    if (max_data_size > MAX_NV_BUFFER_SIZE) {
++        max_data_size = MAX_NV_BUFFER_SIZE;
++    }
++
+     UINT8 *data_buffer = malloc(data_size);
+     if (!data_buffer) {
+         LOG_ERR("oom");
+diff -urN tpm2-tools-3.0.1/tools/tpm2_nvwrite.c tpm2-tools-3.0.1-new/tools/tpm2_nvwrite.c
+--- tpm2-tools-3.0.1/tools/tpm2_nvwrite.c	2017-12-11 08:34:01.000000000 -0700
++++ tpm2-tools-3.0.1-new/tools/tpm2_nvwrite.c	2017-12-15 18:08:09.055066735 -0700
+@@ -116,6 +116,10 @@
+         return false;
+     }
+ 
++    if (max_data_size > MAX_NV_BUFFER_SIZE) {
++        max_data_size = MAX_NV_BUFFER_SIZE;
++    }
++
+     UINT16 data_offset = 0;
+     UINT16 bytes_left = ctx.nv_buffer.t.size;
+     while (bytes_left > 0) {
diff --git a/SOURCES/ret-on-success-rc-decode.patch b/SOURCES/ret-on-success-rc-decode.patch
deleted file mode 100644
index b0ee2a5..0000000
--- a/SOURCES/ret-on-success-rc-decode.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -ur tpm2.0-tools-1.1.0/src/tpm2_rc_decode.c tpm2.0-tools-1.1.0-new/src/tpm2_rc_decode.c
---- tpm2.0-tools-1.1.0/src/tpm2_rc_decode.c	2016-11-04 07:13:32.000000000 -0700
-+++ tpm2.0-tools-1.1.0-new/src/tpm2_rc_decode.c	2017-04-05 14:23:36.654804125 -0700
-@@ -246,6 +246,7 @@
-         fprintf (stderr, "Unknown TPM_RC format\n");
-         return -1;
-     }
-+    return 0;
- }
- /* Top level function to dump human readable data about TPM_RCs.
-  */
diff --git a/SOURCES/tpm2-getmanufec-null-ptr-checks.patch b/SOURCES/tpm2-getmanufec-null-ptr-checks.patch
deleted file mode 100644
index 65ac086..0000000
--- a/SOURCES/tpm2-getmanufec-null-ptr-checks.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp
---- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp	2017-04-19 10:35:14.803672435 -0700
-+++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp	2017-04-19 19:08:46.515111070 -0700
-@@ -385,6 +385,10 @@
-     }
- 
-     char *weblink = (char*)malloc(1 + strlen(b64h) + strlen(EKserverAddr));
-+    if (!weblink) {
-+	    fprintf(stderr, "Memory allocation failed.\n");
-+	    return -1;
-+    }
-     memset(weblink, 0, (1 + strlen(b64h) + strlen(EKserverAddr)));
-     strcat(weblink, EKserverAddr);
-     strcat(weblink, b64h);
-@@ -394,6 +398,11 @@
- 
-     FILE * respfile;
-     respfile = fopen(ECcertFile, "wb");
-+    if (!respfile) {
-+	    fprintf(stderr, "Unable to open file: %s\n", ECcertFile);
-+	    free(weblink);
-+	    return -1;
-+    }
- 
-     curl_global_init(CURL_GLOBAL_DEFAULT);
-     curl = curl_easy_init();
diff --git a/SOURCES/tpm2-listpcrs-select.patch b/SOURCES/tpm2-listpcrs-select.patch
deleted file mode 100644
index 1d2693b..0000000
--- a/SOURCES/tpm2-listpcrs-select.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-diff -ur tpm2.0-tools-1.1.0/src/tpm2_listpcrs.cpp tpm2.0-tools-1.1.0-new/src/tpm2_listpcrs.cpp
---- tpm2.0-tools-1.1.0/src/tpm2_listpcrs.cpp	2017-05-15 15:02:54.844952364 -0700
-+++ tpm2.0-tools-1.1.0-new/src/tpm2_listpcrs.cpp	2017-05-15 15:06:26.224438974 -0700
-@@ -159,38 +159,36 @@
-     return 0;
- }
- 
--void preparePcrSelections_g(TPMI_ALG_HASH algId)
-+int preparePcrSelections(TPMI_ALG_HASH algId)
- {
--    UINT32 pcrId = 0;
--
--    g_pcrSelections.count = 1;
--    g_pcrSelections.pcrSelections[0].hash = algId;
--    SET_PCR_SELECT_SIZE(g_pcrSelections.pcrSelections[0], 3);
--    CLEAR_PCR_SELECT_BITS(g_pcrSelections.pcrSelections[0]);
--
--    for(pcrId = 0; pcrId < 24; pcrId++)
-+    TPMI_YES_NO moreData;
-+    TPMS_CAPABILITY_DATA capabilityData;
-+    UINT32 rval;
-+
-+    rval = Tss2_Sys_GetCapability( sysContext, 0, TPM_CAP_PCRS, 0, 1,
-+                                   &moreData, &capabilityData, 0 );
-+    if(rval != TPM_RC_SUCCESS)
-     {
--        SET_PCR_SELECT_BIT(g_pcrSelections.pcrSelections[0], pcrId );
-+        printf("\n......GetCapability: Get PCR allocation status Error. TPM Error:0x%x......\n", rval);
-+        return -1;
-     }
--}
--
--void preparePcrSelections()
--{
--    UINT32 pcrId = 0;
- 
-     g_pcrSelections.count = 0;
--    for( int i = 0; i < g_banks.count; i++ )
-+    for( int i=0; i < capabilityData.data.assignedPCR.count; i++ )
-     {
--        g_pcrSelections.pcrSelections[i].hash = g_banks.alg[i];
--        SET_PCR_SELECT_SIZE(g_pcrSelections.pcrSelections[i], 3);
--        CLEAR_PCR_SELECT_BITS(g_pcrSelections.pcrSelections[i]);
--
--        for(pcrId = 0; pcrId < 24; pcrId++)
--        {
--            SET_PCR_SELECT_BIT(g_pcrSelections.pcrSelections[i], pcrId );
--        }
-+        if (algId && (capabilityData.data.assignedPCR.pcrSelections[i].hash != algId))
-+            continue;
-+        g_pcrSelections.pcrSelections[g_pcrSelections.count].hash = capabilityData.data.assignedPCR.pcrSelections[i].hash;
-+        SET_PCR_SELECT_SIZE(g_pcrSelections.pcrSelections[g_pcrSelections.count], capabilityData.data.assignedPCR.pcrSelections[i].sizeofSelect);
-+        for (int j = 0; j < g_pcrSelections.pcrSelections[g_pcrSelections.count].sizeofSelect; j++)
-+            g_pcrSelections.pcrSelections[g_pcrSelections.count].pcrSelect[j] = capabilityData.data.assignedPCR.pcrSelections[i].pcrSelect[j];
-         g_pcrSelections.count++;
-     }
-+
-+    if (g_pcrSelections.count == 0)
-+        return -1;
-+
-+    return 0;
- }
- 
- // show all PCR banks according to g_pcrSelection & g_pcrs.
-@@ -205,7 +203,7 @@
-         printf("\nBank/Algorithm: %s(0x%04x)\n",
-                g_algs[alg_i].desc, g_pcrSelections.pcrSelections[i].hash);
- 
--        for(UINT32 pcrId = 0; pcrId < 24; pcrId++)
-+        for(UINT32 pcrId = 0; pcrId < g_pcrSelections.pcrSelections[i].sizeofSelect * 8; pcrId++)
-         {
-             if(!TEST_PCR_SELECT_BIT(g_pcrSelections.pcrSelections[i], pcrId))
-                 continue;
-@@ -246,7 +244,8 @@
- 
- int showAllPcrValues()
- {
--    preparePcrSelections();
-+    if(preparePcrSelections(0))
-+        return -1;
- 
-     if(readPcrValues())
-         return -1;
-@@ -270,7 +269,8 @@
- 
- int showAlgPcrValues(TPMI_ALG_HASH algId)
- {
--    preparePcrSelections_g(algId);
-+    if(preparePcrSelections(algId))
-+        return -1;
- 
-     if(readPcrValues())
-         return -1;
diff --git a/SOURCES/tpm2_getmanuc-null-check.patch b/SOURCES/tpm2_getmanuc-null-check.patch
deleted file mode 100644
index d195787..0000000
--- a/SOURCES/tpm2_getmanuc-null-check.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp
---- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp	2017-04-05 15:47:18.271030008 -0700
-+++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp	2017-04-05 15:47:39.326377029 -0700
-@@ -332,9 +332,16 @@
- 
- char *Base64Encode(const unsigned char* buffer)
- {
--    printf("Calculating the Base64Encode of the hash of the Endorsement Public Key:\n");
-     BIO *bio, *b64;
-     BUF_MEM *bufferPtr;
-+
-+    printf("Calculating the Base64Encode of the hash of the Endorsement Public Key:\n");
-+
-+    if (buffer == NULL) {
-+	    printf("HashEKPublicKey returned null\n");
-+	    return NULL;
-+    }
-+
-     b64 = BIO_new(BIO_f_base64());
-     bio = BIO_new(BIO_s_mem());
-     bio = BIO_push(b64, bio);
-@@ -371,6 +378,12 @@
- int RetrieveEndorsementCredentials(char *b64h)
- {
-     printf("Retrieving Endorsement Credential Certificate from the TPM Manufacturer EK Provisioning Server\n");
-+
-+    if (b64h == NULL) {
-+	    printf("Base64Encode returned null\n");
-+	    return -1;
-+    }
-+
-     char *weblink = (char*)malloc(1 + strlen(b64h) + strlen(EKserverAddr));
-     memset(weblink, 0, (1 + strlen(b64h) + strlen(EKserverAddr)));
-     strcat(weblink, EKserverAddr);
-@@ -416,8 +429,7 @@
-         printf("TPM Manufacturer Endorsement Credential Server Address cannot be NULL\n");
-         return -99;
-     }
--    RetrieveEndorsementCredentials(Base64Encode(HashEKPublicKey()));
--    return 0;
-+    return RetrieveEndorsementCredentials(Base64Encode(HashEKPublicKey()));
- }
- 
- void showHelp(const char *name)
diff --git a/SOURCES/tpm2_getmanufec-leak-clean.patch b/SOURCES/tpm2_getmanufec-leak-clean.patch
deleted file mode 100644
index 08e1e67..0000000
--- a/SOURCES/tpm2_getmanufec-leak-clean.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp
---- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp	2017-04-05 15:48:37.613337680 -0700
-+++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp	2017-04-05 15:48:47.806505677 -0700
-@@ -418,6 +418,7 @@
-     curl_global_cleanup();
-     printf("\n");
-     free(weblink);
-+    fclose(respfile);
-     return 0;
- }
- 
diff --git a/SOURCES/void-return-listpcrs.patch b/SOURCES/void-return-listpcrs.patch
deleted file mode 100644
index e273156..0000000
--- a/SOURCES/void-return-listpcrs.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -ur tpm2.0-tools-1.1.0/src/tpm2_listpcrs.cpp tpm2.0-tools-1.1.0-new/src/tpm2_listpcrs.cpp
---- tpm2.0-tools-1.1.0/src/tpm2_listpcrs.cpp	2016-11-04 07:13:32.000000000 -0700
-+++ tpm2.0-tools-1.1.0-new/src/tpm2_listpcrs.cpp	2017-04-05 02:43:59.619719509 -0700
-@@ -159,7 +159,7 @@
-     return 0;
- }
- 
--int preparePcrSelections_g(TPMI_ALG_HASH algId)
-+void preparePcrSelections_g(TPMI_ALG_HASH algId)
- {
-     UINT32 pcrId = 0;
- 
diff --git a/SPECS/tpm2-tools.spec b/SPECS/tpm2-tools.spec
index 715d2a9..308ecfa 100644
--- a/SPECS/tpm2-tools.spec
+++ b/SPECS/tpm2-tools.spec
@@ -1,56 +1,48 @@
 Name: tpm2-tools
-Version: 1.1.0 
-Release: 7%{?dist}
+Version: 3.0.1
+Release: 1%{?dist}
 Summary: A TPM2.0 testing tool build upon TPM2.0-TSS
 
-%global pkg_prefix tpm2.0-tools
-
 License: BSD
-URL:     https://github.com/01org/tpm2.0-tools
-Source0: https://github.com/01org/tpm2.0-tools/archive/v%{version}.tar.gz#/%{pkg_prefix}-%{version}.tar.gz
-# RHEL only. code no longer exists upstream
-Patch0000: fix-resource-leak-InitSysContext.patch
-# RHEL only. Upstream commit 2b6bb441 contains this and more.
-# Added code to clean up hash malloc in err paths
-Patch0001: HashEKPublicKey-cleanup.patch
-# Submitted upstream. https://github.com/01org/tpm2.0-tools/pull/272
-# Slightly different for RHEL due to code differences
-Patch0002: tpm2_getmanuc-null-check.patch
-# Fix is part of upstream commit 2b6bb441.
-Patch0003: tpm2_getmanufec-leak-clean.patch
-# Similar to part of upstream commit 2b6bb441.
-Patch0004: ekservaddr.patch
-# RHEL only. code completely changed upstream
-Patch0005: void-return-listpcrs.patch
-# Upstream commit 778bd1a0a1b5
-Patch0006: ret-on-success-rc-decode.patch
-# Based on part of upstream commit 2b6bb441.
-Patch0007: tpm2-getmanufec-null-ptr-checks.patch
-# similar fix submitted upstream https://github.com/01org/tpm2.0-tools/pull/284
-Patch0008: tpm2-listpcrs-select.patch
-
-BuildRequires: gcc
+URL:     https://github.com/01org/tpm2-tools
+Source0: https://github.com/01org/tpm2-tools/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+
+# work around lack of pandoc in RHEL7
+Patch0: add-man-pages.patch
+# Deal with RHEL rpmbuilds not being from git
+Patch1: autoconf-fixup.patch
+# Upstream commit ab1a2d468c4b2ac09a0ac651563653f36a73215f
+Patch2: 0001-tpm2_nvwrite-fix-buffer-overflow.patch
+# Submitted upstream: https://github.com/intel/tpm2-tools/pull/725
+Patch3: max-nv-buffer.patch
+
 BuildRequires: gcc-c++
 BuildRequires: libtool
+BuildRequires: autoconf-archive
+BuildRequires: pkgconfig(cmocka)
 BuildRequires: pkgconfig(libcurl)
 BuildRequires: pkgconfig(openssl)
 # tpm2-tss-devel provides sapi/tcti-device/tcti-socket
 BuildRequires: pkgconfig(sapi)
 BuildRequires: pkgconfig(tcti-device)
 BuildRequires: pkgconfig(tcti-socket)
+BuildRequires: pkgconfig(tcti-tabrmd)
 
 # this package does not support big endian arch so far,
 # and has been verified only on Intel platforms.
 ExclusiveArch: %{ix86} x86_64
 
 # tpm2-tools is heavily depending on TPM2.0-TSS project, matched tss is required
-Requires: tpm2-tss%{?_isa} >= 1.0-2%{?dist} 
+Requires: tpm2-tss%{?_isa} >= 1.3.0-1%{?dist}
+
+# tpm2-tools project changed the install path for binaries and man page section
+Obsoletes: tpm2-tools <= 2.1.0-2
 
 %description
 tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss.
 
 %prep
-%autosetup -p1 -n %{pkg_prefix}-%{version}
+%autosetup -p1 -n %{name}-%{version}
 ./bootstrap
 
 %build
@@ -61,11 +53,24 @@ tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss.
 %make_install
 
 %files
-%doc README.md CHANGELOG 
+%doc README.md CHANGELOG.md
 %license LICENSE
-%{_sbindir}/tpm2_*
+%{_bindir}/tpm2_*
+%{_mandir}/man1/tpm2_*.1.gz
 
 %changelog
+* Wed Dec 13 2017 Jerry Snitselaar <jsnitsel@redhat.com> - 3.0.1-1
+- Rebase to 3.0.1 release
+resolves: rhbz#1463100
+
+* Wed Oct 18 2017 Jerry Snitselaar <jsnitsel@redhat.com> - 2.1.0-2
+- Fix potential memory leak
+resolves: rhbz#1463100
+
+* Wed Aug 30 2017 Jerry Snitselaar <jsnitsel@redhat.com> - 2.1.0-1
+- Rebase to 2.1.0 release
+resolves: rhbz#1463100
+
 * Mon May 15 2017 Jerry Snitselaar <jsnitsel@redhat.com> - 1.1.0-7
 - decide pcrs to read based off data returned from TPM2_GetCapability
 resolves: rhbz#1449276