diff --git a/.gitignore b/.gitignore index 7d7a8a8..58b3e9d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/tpm2.0-tools-1.1.0.tar.gz +SOURCES/tpm2-tools-3.0.1.tar.gz diff --git a/.tpm2-tools.metadata b/.tpm2-tools.metadata index a2ad6c3..4e3bb2c 100644 --- a/.tpm2-tools.metadata +++ b/.tpm2-tools.metadata @@ -1 +1 @@ -1d27f0e7564e7bf83b5751e5e9eb3f73c5dc971e SOURCES/tpm2.0-tools-1.1.0.tar.gz +957e94aeca335b40b2e58729f82ce4b4aa5b525a SOURCES/tpm2-tools-3.0.1.tar.gz diff --git a/SOURCES/0001-tpm2_nvwrite-fix-buffer-overflow.patch b/SOURCES/0001-tpm2_nvwrite-fix-buffer-overflow.patch new file mode 100644 index 0000000..91ee61d --- /dev/null +++ b/SOURCES/0001-tpm2_nvwrite-fix-buffer-overflow.patch @@ -0,0 +1,91 @@ +From ab1a2d468c4b2ac09a0ac651563653f36a73215f Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Fri, 15 Dec 2017 11:43:42 -0800 +Subject: [PATCH] tpm2_nvwrite: fix buffer overflow + +As reported by clang asan: + +================================================================= +==435==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe036c0902 at pc 0x0000004a326d bp 0x7ffe036c02f0 sp 0x7ffe036bfaa0 +WRITE of size 2048 at 0x7ffe036c0902 thread T0 + #0 0x4a326c in __asan_memcpy (/home/wcrobert/workspace/tpm2-tools/tools/tpm2_nvwrite+0x4a326c) + #1 0x4e887b in nv_write /home/wcrobert/workspace/tpm2-tools/tools/tpm2_nvwrite.c:129:9 + #2 0x4e82c4 in tpm2_tool_onrun /home/wcrobert/workspace/tpm2-tools/tools/tpm2_nvwrite.c:316:11 + #3 0x4e90d9 in main /home/wcrobert/workspace/tpm2-tools/tools/tpm2_tool.c:150:11 + #4 0x7fdfc968d82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 + #5 0x4195c8 in _start (/home/wcrobert/workspace/tpm2-tools/tools/tpm2_nvwrite+0x4195c8) + +Address 0x7ffe036c0902 is located in stack of thread T0 at offset 1538 in frame + #0 0x4e846f in nv_write /home/wcrobert/workspace/tpm2-tools/tools/tpm2_nvwrite.c:76 + + This frame has 8 object(s): + [32, 172) 'session_data_out' + [240, 256) 'sessions_data' + [272, 288) 'sessions_data_out' + [304, 312) 'session_data_array' + [336, 344) 'session_data_out_array' + [368, 452) 'nv_public' + [496, 500) 'max_data_size' + [512, 1538) 'nv_write_data' <== Memory access at offset 1538 overflows this variable +HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext + (longjmp and C++ exceptions *are* supported) +SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/wcrobert/workspace/tpm2-tools/tools/tpm2_nvwrite+0x4a326c) in __asan_memcpy +Shadow bytes around the buggy address: + 0x1000406d00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000406d00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000406d00f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000406d0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000406d0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x1000406d0120:[02]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 + 0x1000406d0130: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000406d0140: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 + 0x1000406d0150: 00 00 00 00 00 00 00 00 02 f2 f2 f2 f2 f2 00 f3 + 0x1000406d0160: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000406d0170: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 01 f2 00 f3 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==435==ABORTING + +Fix by using the max buffer's size field, not the loaded from +file buffers size field. + +Signed-off-by: William Roberts +--- + tools/tpm2_nvwrite.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/tpm2_nvwrite.c b/tools/tpm2_nvwrite.c +index 63c892f..a412898 100644 +--- a/tools/tpm2_nvwrite.c ++++ b/tools/tpm2_nvwrite.c +@@ -127,7 +127,7 @@ static bool nv_write(TSS2_SYS_CONTEXT *sapi_context) { + LOG_INFO("The data(size=%d) to be written:", nv_write_data.t.size); + + memcpy(nv_write_data.t.buffer, &ctx.nv_buffer.t.buffer[data_offset], +- ctx.nv_buffer.t.size); ++ nv_write_data.t.size); + + TPM_RC rval = TSS2_RETRY_EXP(Tss2_Sys_NV_Write(sapi_context, ctx.auth_handle, + ctx.nv_index, &sessions_data, &nv_write_data, ctx.offset + data_offset, +-- +2.15.0 + diff --git a/SOURCES/HashEKPublicKey-cleanup.patch b/SOURCES/HashEKPublicKey-cleanup.patch deleted file mode 100644 index f78ca91..0000000 --- a/SOURCES/HashEKPublicKey-cleanup.patch +++ /dev/null @@ -1,97 +0,0 @@ -diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp ---- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp 2016-11-04 07:13:32.000000000 -0700 -+++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp 2017-04-05 15:46:04.144808304 -0700 -@@ -30,7 +30,7 @@ - //**********************************************************************; - - #include -- -+#include - #include - #include - #include -@@ -264,27 +264,69 @@ - - unsigned char *HashEKPublicKey(void) - { -- printf("Calculating the SHA256 hash of the Endorsement Public Key\n"); -- FILE *fp; -+ FILE *fp = NULL; -+ unsigned char *hash = NULL; - unsigned char EKpubKey[259]; -- unsigned char *hash = (unsigned char*)malloc(SHA256_DIGEST_LENGTH); -+ int rc, is_success; -+ unsigned int i; -+ size_t read; -+ -+ printf("Calculating the SHA256 hash of the Endorsement Public Key\n"); -+ - fp = fopen(outputFile, "rb"); -- if (fp == NULL) -- printf("File Open Error\n"); -- else -- { -- fseek(fp, 0x66, 0); -- fread(EKpubKey, 1, 256, fp); -+ if (fp == NULL) { -+ fprintf(stderr, "Could not open file: \"%s\"\n", outputFile); -+ return NULL; - } -- fclose(fp); -- EKpubKey[256] = 0x01; EKpubKey[257] = 0x00; EKpubKey[258] = 0x01; //Exponent -+ rc = fseek(fp, 0x66, 0); -+ if (rc < 0) { -+ fprintf(stderr, "Could not perform fseek: %s\n", strerror(errno)); -+ goto out; -+ } -+ read = fread(EKpubKey, 1, 256, fp); -+ if (read != 256) { -+ fprintf(stderr, "Could not read whole file.\n"); -+ goto out; -+ } -+ -+ hash = (unsigned char*)malloc(SHA256_DIGEST_LENGTH); -+ if (hash == NULL) { -+ fprintf(stderr, "Memory allocation failed.\n"); -+ goto out; -+ } -+ -+ EKpubKey[256] = 0x01; -+ EKpubKey[257] = 0x00; -+ EKpubKey[258] = 0x01; //Exponent - SHA256_CTX sha256; -- SHA256_Init(&sha256); -- SHA256_Update(&sha256, EKpubKey, sizeof(EKpubKey)); -- SHA256_Final(hash, &sha256); -- for (int i = 0; i < SHA256_DIGEST_LENGTH; i++) -+ is_success = SHA256_Init(&sha256); -+ if (!is_success) { -+ fprintf(stderr, "SHA256_Init failed\n"); -+ goto hash_out; -+ } -+ -+ is_success = SHA256_Update(&sha256, EKpubKey, sizeof(EKpubKey)); -+ if (!is_success) { -+ fprintf(stderr, "SHA256_Update failed\n"); -+ goto hash_out; -+ } -+ -+ is_success = SHA256_Final(hash, &sha256); -+ if (!is_success) { -+ fprintf(stderr, "SHA256_Final failed\n"); -+ goto hash_out; -+ } -+ -+ for (i = 0; i < SHA256_DIGEST_LENGTH; i++) - printf("%02X", hash[i]); - printf("\n"); -+ goto out; -+ -+hash_out: -+ free(hash); -+ hash = NULL; -+out: -+ fclose(fp); - return hash; - } - diff --git a/SOURCES/add-man-pages.patch b/SOURCES/add-man-pages.patch new file mode 100644 index 0000000..2320055 --- /dev/null +++ b/SOURCES/add-man-pages.patch @@ -0,0 +1,7751 @@ +diff --git a/Makefile.am b/Makefile.am +index 2034c2500b3e..9dfe2ca1ea7c 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -270,7 +270,6 @@ EXTRA_DIST = $(top_srcdir)/man \ + README.md \ + RELEASE.md + +-if HAVE_PANDOC + man1_MANS := \ + man/man1/tpm2_activatecredential.1 \ + man/man1/tpm2_certify.1 \ +@@ -311,7 +310,6 @@ if HAVE_PANDOC + man/man1/tpm2_takeownership.1 \ + man/man1/tpm2_unseal.1 \ + man/man1/tpm2_verifysignature.1 +-endif + + MARKDOWN_COMMON_DEPS = \ + man/common/alg.md \ +diff --git a/man/man1/tpm2_activatecredential.1 b/man/man1/tpm2_activatecredential.1 +new file mode 100644 +index 000000000000..afe81e4d4b02 +--- /dev/null ++++ b/man/man1/tpm2_activatecredential.1 +@@ -0,0 +1,178 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_activatecredential" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_activatecredential\f[](1) \- verify that an object is ++protected with a specific key. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_activatecredential\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++Verify that the given content is protected with given keyHandle for ++given handle, and then decrypt and return the secret, if any passwd ++option is missing, assume NULL. ++Currently only support using TCG profile compliant EK as the keyHandle. ++.SH OPTIONS ++.PP ++These options control the object verification: ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\-\-handle\f[]=\f[I]HANDLE\f[]: \f[I]HANDLE\f[] of ++the object associated with the created certificate by CA. ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]: The ++\f[I]KEY_HANDLE\f[] of Loaded key used to decrypt the the random seed. ++.IP \[bu] 2 ++\f[B]\-C\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: ++\f[I]KEY_CONTEXT_FILE\f[] is the path to a context file. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-password\f[]=\f[I]PASSWORD\f[]: Use ++\f[I]PASSWORD\f[] for providing an authorization value for the ++\f[I]KEY_HANDLE\f[]. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.IP \[bu] 2 ++\f[B]\-e\f[], \f[B]\-\-endorse\-password\f[]=\f[I]ENDORSE_PASSWORD\f[]: ++The endorsement password, optional. ++Follows the same formating guidelines as the handle password option \-P. ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\-\-in\-file\f[]=\f[I]INPUT_FILE\f[]: Input file ++path, containing the two structures needed by tpm2_activatecredential ++function. ++This is created via the tpm2_makecredential(1) command. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUTPUT_FILE\f[]: Output file ++path, record the secret to decrypt the certificate. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_activatecredential\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ abc123\ \-e\ abc123\ \-f\ \ \-o\ ++tpm2_activatecredential\ \-c\ ak.context\ \-C\ ek.context\ \-P\ abc123\ \-e\ abc123\ \-f\ \ \-o\ ++tpm2_activatecredential\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 123abc\ \-e\ 1a1b1c\ \-X\ \-f\ \ \-o\ ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_certify.1 b/man/man1/tpm2_certify.1 +new file mode 100644 +index 000000000000..f1a5af18d65b +--- /dev/null ++++ b/man/man1/tpm2_certify.1 +@@ -0,0 +1,201 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_certify" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_certify\f[](1) \- prove that an object is loaded in the tpm. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_certify\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_certify\f[](1) proves that an object with a specific ++\f[I]NAME\f[] is loaded in the TPM. ++By certifying that the object is loaded, the TPM warrants that a public ++area with a given \f[I]NAME\f[] is self\-consistent and associated with ++a valid sensitive area. ++If a relying party has a public area that has the same \f[I]NAME\f[] as ++a \f[I]NAME\f[] certified with this command, then the values in that ++public area are correct. ++The object may be any object that is loaded with TPM2_Load() or ++TPM2_CreatePrimary(). ++An object that only has its public area loaded cannot be certified. ++.SH OPTIONS ++.PP ++These options control the ceritifcation: ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\-\-obj\-handle\f[]=\f[I]OBJECT_HANDLE\f[]: The ++handle of the object to be certified. ++.IP \[bu] 2 ++\f[B]\-C\f[], \f[B]\-\-obj\-context\f[]=\f[I]FILE\f[]: Use \f[I]FILE\f[] ++for providing the object context. ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]: Handle of ++the key used to sign the attestation structure. ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT\f[]: Filename ++of the key context used to sign the attestation structure. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-pwdo\f[]=\f[I]OBJECT_PASSWORD\f[]: Use ++\f[I]OBJECT_PASSWORD\f[] for providing an authorization value for the ++object specified in \f[I]OBJECT_HANDLE\f[]. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.IP \[bu] 2 ++\f[B]\-K\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: Use ++\f[I]KEY_PASSWORD\f[] for providing an authorization value for the key ++specified in \f[I]KEY_HANDLE\f[]. ++Follows the same formatting guidelines as the object handle password or ++\-P option. ++.IP \[bu] 2 ++\f[B]\-a\f[], \f[B]\-\-attest\-file\f[]=\f[I]ATTEST_FILE\f[]: Output ++file name for the attestation data. ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\-\-sig\-file\f[]=\f[I]SIG_FILE\f[]: Output file name ++for the signature data. ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\-\-format\f[] ++.RS 2 ++.PP ++Format selection for the signature output file. ++See section "Signature Format Specifiers". ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Signature Format Specifiers ++.PP ++Format selection for the signature output file. ++\f[B]tss\f[] (the default) will output a binary blob according to the ++TPM 2.0 specification and any potential compiler padding. ++The option \f[B]plain\f[] will output the plain signature data as ++defined by the used cryptographic algorithm. ++# EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_certify\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 0x0011\ \-K\ 0x00FF\ \-g\ 0x00B\ \-a\ \ \-s\ ++tpm2_certify\ \-C\ obj.context\ \-c\ key.context\ \-P\ 0x0011\ \-K\ 0x00FF\ \-g\ 0x00B\ \-a\ \ \-s\ ++tpm2_certify\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 0011\ \-K\ 00FF\ \-X\ \-g\ 0x00B\ \-a\ \ \-s\ ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_create.1 b/man/man1/tpm2_create.1 +new file mode 100644 +index 000000000000..80e158428a26 +--- /dev/null ++++ b/man/man1/tpm2_create.1 +@@ -0,0 +1,271 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_create" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_create\f[](1) \- create an object that can be loaded into a ++TPM using tpm2_load. ++The object will need to be loaded before it may be used. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_create\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_create\f[](1) \- create an object that can be loaded into a ++TPM using tpm2_load. ++The object will need to be loaded before it may be used. ++.SH OPTIONS ++.PP ++These options for creating the tpm entity: ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\-\-pparent\f[]=\f[I]PARENT_HANDLE\f[]: The handle of ++the parent object to create this object under. ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-context\-parent\f[]=\f[I]PARENT_CONTEXT_FILE\f[]: ++The filename for parent context. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: The ++password for parent key, optional. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.IP \[bu] 2 ++\f[B]\-K\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: The password for ++key, optional. ++Follows the password formatting of the "password for parent key" option: ++\-P. ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]ALGORITHM\f[]: The hash algorithm ++to use. ++Algorithms should follow the " formatting standards, see section ++"Algorithm Specifiers". ++Also, see section "Supported Hash Algorithms" for a list of supported ++hash algorithms. ++.IP \[bu] 2 ++\f[B]\-G\f[], \f[B]\-\-kalg\f[]=\f[I]KEY_ALGORITHM\f[]: The algorithm ++associated with this object. ++It accepts friendly names just like \-g option. ++See section "Supported Public Object Algorithms" for a list of supported ++object algorithms. ++.IP \[bu] 2 ++\f[B]\-A\f[], \f[B]\-\-object\-attributes\f[]=\f[I]ATTRIBUTES\f[]: The ++object attributes, optional. ++Object attribytes follow the specifications as outlined in "object ++attribute specifiers". ++The default for created objects is: ++.RS 2 ++.PP ++\f[C]TPMA_OBJECT_SIGN|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-I\f[], \f[B]\-\-in\-file\f[]=\f[I]FILE\f[]: The data file to be ++sealed, optional. ++If file is \-, read from stdin. ++When sealing data only the TPM_ALG_KEYEDHASH algorithm is allowed. ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\-\-policy\-file\f[]=\f[I]POLICY_FILE\f[]: The input ++policy file, optional. ++.IP \[bu] 2 ++\f[B]\-u\f[], \f[B]\-\-pubfile\f[]=\f[I]OUTPUT_PUBLIC_FILE\f[]: The ++output file which contains the public portion of the created object, ++optional. ++.IP \[bu] 2 ++\f[B]\-r\f[], \f[B]\-\-privfile\f[]=\f[I]OUTPUT_PRIVATE_FILE\f[]: The ++output file which contains the sensitive portion of the object, ++optional. ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Supported Public Object Algorithms ++.PP ++Supported public object algorithms are: ++.IP \[bu] 2 ++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] ++(\f[B]default\f[]). ++.IP \[bu] 2 ++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. ++.IP \[bu] 2 ++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. ++.IP \[bu] 2 ++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support "nice\-names". ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH Object Attributes ++.PP ++Object Attributes are used to control various properties of created ++objects. ++When specified as an option, either the raw bitfield mask or ++"nice\-names" may be used. ++The values can be found in Table 31 Part 2 of the TPM2.0 specification, ++which can be found here: ++.PP ++ ++.PP ++Nice names are calculated by taking the name field of table 31 and ++removing the prefix \f[B]TPMA_OBJECT_\f[] and lowercasing the result. ++Thus, \f[B]TPMA_OBJECT_FIXEDTPM\f[] becomes fixedtpm. ++Nice names can be joined using the bitwise or "|" symbol. ++.PP ++For instance, to set The fields \f[B]TPMA_OBJECT_FIXEDTPM\f[], ++\f[B]TPMA_OBJECT_NODA\f[], and \f[B]TPMA_OBJECT_SIGN\f[], the argument ++would be: ++.PP ++\f[B]fixedtpm|noda|sign\f[] ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_create\ \-H\ 0x81010001\ \-P\ abc123\ \-K\ def456\ \-g\ sha256\ \-G\ keyedhash\-I\ data.File\ \-o\ opu.File ++tpm2_create\ \-c\ parent.context\ \-P\ abc123\ \-K\ def456\ \-g\ sha256\ \-G\ keyedhash\ \-I\ data.File\ \-o\ opu.File ++tpm2_create\ \-H\ 0x81010001\ \-P\ 123abc\ \-K\ 456def\ \-X\ \-g\ sha256\ \-G\ keyedhash\ \-I\ data.File\ \-o\ opu.File ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_createpolicy.1 b/man/man1/tpm2_createpolicy.1 +new file mode 100644 +index 000000000000..355137e38852 +--- /dev/null ++++ b/man/man1/tpm2_createpolicy.1 +@@ -0,0 +1,186 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_createpolicy" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_createpolicy\f[](1) \- Creates simple assertion authorization ++policies based on multiple pcr indices values across multiple enabled ++banks. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_createpolicy\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_createpolicy\f[](1) \- Creates simple assertion authorization ++policies based on multiple pcr indices values across multiple enabled ++banks. ++It can then be used with object creation and or tools using the object. ++.SH OPTIONS ++.PP ++These options control creating the policy authorization session: ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\-\-policy\-file\f[]=\f[I]POLICY_FILE\f[]: File to ++save the policy digest. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-policy\-pcr\f[]: Identifies the PCR policy type ++for policy creation. ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\-\-policy\-digest\-alg\f[]=\f[I]HASH_ALGORITHM\f[]: ++The hash algorithm used in computation of the policy digest. ++Algorithms should follow the "formatting standards, see section ++"Algorithm Specifiers". ++Also, see section "Supported Hash Algorithms" for a list of supported ++hash algorithms. ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\-\-set\-list\f[]=\f[I]PCR_LIST\f[]: The list of pcr ++banks and selected PCRs\[aq] ids (0~23) for each bank. ++.IP \[bu] 2 ++\f[B]\-F\f[], \f[B]\-\-pcr\-input\-file\f[]=\f[I]PCR_FILE\f[]: Optional ++Path or Name of the file containing expected pcr values for the ++specified index. ++Default is to read the current PCRs per the set list. ++.IP \[bu] 2 ++\f[B]\-e\f[], \f[B]\-\-extend\-policy\-session\f[]: Retains the policy ++session at the end of operation. ++.IP \[bu] 2 ++\f[B]\-a\f[], \f[B]\-\-auth\-policy\-session\f[]: Start a policy session ++of type \f[B]TPM_SE_POLICY\f[]. ++Default without this option is \f[B]TPM_SE_TRIAL\f[]. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support "nice\-names". ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.PP ++Create a authorization policy tied to a specific PCR index: ++.PP ++\f[B]tpm2_createpolicy \-P \-L 0x4:0 \-f policy.file \-F pcr0.bin\f[] ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_createprimary.1 b/man/man1/tpm2_createprimary.1 +new file mode 100644 +index 000000000000..5a77fc162ef1 +--- /dev/null ++++ b/man/man1/tpm2_createprimary.1 +@@ -0,0 +1,273 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_createprimary" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_createprimary\f[](1) \- Create a primary key under a primary ++seed or a temporary primary key under the \f[B]TPM_RH_NULL\f[] ++hierarchy. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_createprimary\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_createprimary\f[](1) \- This command is used to create a ++Primary Object under one of the Primary Seeds or a Temporary Object ++under \f[B]TPM_RH_NULL\f[]. ++The command uses a \f[B]TPM2B_PUBLIC\f[] as a template for the object to ++be created. ++The command will create and load a Primary Object. ++The sensitive area is not returned. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\-\-hierarchy\f[]=\f[I]HIERARCHY\f[]: Specify the ++hierarchy under which the object is created. ++This will also dictate which authorization secret (if any) must be ++supplied. ++Supported options are: ++.RS 2 ++.IP \[bu] 2 ++\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.IP \[bu] 2 ++\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[] ++.IP \[bu] 2 ++\f[B]n\f[] for \f[B]TPM_RH_NULL\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: Optional ++authorization string if authorization is required to create object under ++the specified hierarchy. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.IP \[bu] 2 ++\f[B]\-K\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: Optional ++authorization string for the newly created object. ++Follows the same password formating guidelines as the parent ++authorization string under the \-P option. ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]ALGORITHM\f[]: The hash algorithm ++to use. ++Algorithms should follow the " formatting standards, see section ++"Algorithm Specifiers". ++Also, see section "Supported Hash Algorithms" for a list of supported ++hash algorithms. ++.IP \[bu] 2 ++\f[B]\-G\f[], \f[B]\-\-kalg\f[]=\f[I]KEY_ALGORITHM\f[]: Algorithm type ++for generated key. ++It supports friendly names like the \-g option. ++See section "Supported Public Object Algorithms" for a list of supported ++object algorithms. ++.IP \[bu] 2 ++\f[B]\-C\f[], \f[B]\-\-context\f[]=\f[I]CONTEXT_FILE\f[]: An optional ++file used to store the object context returned. ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\-\-policy\-file\f[]=\f[I]POLICY_FILE\f[]: An ++optional file input that contains the policy digest for policy based ++authorization of the object. ++.IP \[bu] 2 ++\f[B]\-A\f[], \f[B]\-\-object\-attributes\f[]=\f[I]ATTRIBUTES\f[]: The ++object attributes, optional. ++Object attribytes follow the specifications as outlined in "object ++attribute specifiers". ++The default for created objects is: ++.RS 2 ++.PP ++\f[C]TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Supported Public Object Algorithms ++.PP ++Supported public object algorithms are: ++.IP \[bu] 2 ++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] ++(\f[B]default\f[]). ++.IP \[bu] 2 ++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. ++.IP \[bu] 2 ++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. ++.IP \[bu] 2 ++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support "nice\-names". ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH Object Attributes ++.PP ++Object Attributes are used to control various properties of created ++objects. ++When specified as an option, either the raw bitfield mask or ++"nice\-names" may be used. ++The values can be found in Table 31 Part 2 of the TPM2.0 specification, ++which can be found here: ++.PP ++ ++.PP ++Nice names are calculated by taking the name field of table 31 and ++removing the prefix \f[B]TPMA_OBJECT_\f[] and lowercasing the result. ++Thus, \f[B]TPMA_OBJECT_FIXEDTPM\f[] becomes fixedtpm. ++Nice names can be joined using the bitwise or "|" symbol. ++.PP ++For instance, to set The fields \f[B]TPMA_OBJECT_FIXEDTPM\f[], ++\f[B]TPMA_OBJECT_NODA\f[], and \f[B]TPMA_OBJECT_SIGN\f[], the argument ++would be: ++.PP ++\f[B]fixedtpm|noda|sign\f[] ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_createprimary\ \-H\ o\ \-g\ sha256\ \-G\ ecc\ \-C\ context.out ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_dictionarylockout.1 b/man/man1/tpm2_dictionarylockout.1 +new file mode 100644 +index 000000000000..d8e5be903645 +--- /dev/null ++++ b/man/man1/tpm2_dictionarylockout.1 +@@ -0,0 +1,155 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_dictionarylockout" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_dictionarylockout\f[](1) \- setup or clear ++dictionary\-attack\-lockout parameters. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_dictionarylockout\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_dictionarylockout\f[](1) \- setup dictionary\-attack\-lockout ++parameters or clear dictionary\-attack\-lockout state, if any passwd ++option is missing, assume NULL. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\-\-setup\-parameters\f[]=\f[I]SETUP_PARAMETERS\f[]: ++specifies the tool should operate to setup dictionary\-attack\-lockout ++parameters. ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-clear\-lockout\f[]: specifies the tool should ++operate to clear dictionary\-attack\-lockout state. ++.IP \[bu] 2 ++\f[B]\-l\f[], \f[B]\-lockout\-recovery\-time\f[]=\f[I]LOCKOUT_TIME\f[]: ++specifies the wait time in seconds before another TPM_RH_LOCKOUT ++authentication attempt can be made after a failed authentication. ++.IP \[bu] 2 ++\f[B]\-t\f[], \f[B]\-\-recovery\-time\f[]=\f[I]RECOVERY_TIME\f[]: ++specifies the wait time in seconds before another DA\-protected\-object ++authentication attempt can be made after max\-tries number of failed ++authentications. ++.IP \[bu] 2 ++\f[B]\-n\f[], \f[B]\-\-max\-tries\f[]=\f[I]MAX_TRYS\f[]: specifies the ++maximum number of allowed authentication attempts on ++DA\-protected\-object; after which DA is activated. ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_dictionarylockout\ \-c\ \-p\ passwd ++tpm2_dictionarylockout\ \-s\ \-n\ 5\ \-t\ 6\ \-l\ 7\ \-p\ passwd ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_encryptdecrypt.1 b/man/man1/tpm2_encryptdecrypt.1 +new file mode 100644 +index 000000000000..39fa1ee57d12 +--- /dev/null ++++ b/man/man1/tpm2_encryptdecrypt.1 +@@ -0,0 +1,169 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_encryptdecrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_encryptdecrypt\f[](1) \- performs symmetric encryption or ++decryption. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_encryptdecrypt\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++tpm2_encryptdecrypt(1) \- performs symmetric encryption or decryption ++with a specified symmetric key. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]: the ++symmetric key used for the operation (encryption/decryption). ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: ++filename of the key context used for the operation. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: filename of the ++key context used for the operation. ++The password for parent key, optional. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.IP \[bu] 2 ++\f[B]\-D\f[], \f[B]\-\-decrypt\f[]: Perform a decrypt operation. ++Default is encryption. ++.IP \[bu] 2 ++\f[B]\-I\f[], \f[B]\-\-in\-file\f[]=\f[I]INPUT_FILE\f[]: Input file path ++containing data for decrypt or encrypt operation. ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_encryptdecrypt\ \-k\ 0x81010001\ \-P\ abc123\ \-D\ NO\ \-I\ \ \-o\ ++tpm2_encryptdecrypt\ \-c\ key.context\ \-P\ abc123\ \-D\ NO\ \-I\ \ \-o\ ++tpm2_encryptdecrypt\ \-k\ 0x81010001\ \-P\ 123abca\ \-X\ \-D\ NO\ \-I\ \ \-o\ ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_evictcontrol.1 b/man/man1/tpm2_evictcontrol.1 +new file mode 100644 +index 000000000000..37102a6fb634 +--- /dev/null ++++ b/man/man1/tpm2_evictcontrol.1 +@@ -0,0 +1,180 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_evictcontrol" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_evictcontrol\f[](1) \- Make a transient object persistent or ++evict a persistent object. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_evictcontrol\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_evictcontrol\f[](1) \- allows a transient object to be made ++persistent or a persistent object to be evicted. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-A\f[], \f[B]\-\-auth\f[]=\f[I]AUTH\f[]: The authorization used to ++authorize the commands. ++Valid choices are: ++.RS 2 ++.IP \[bu] 2 ++\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\-\-handle\f[]=\f[I]HANDLE\f[]: The handle of a ++loaded transient or a persistent object. ++.RS 2 ++.PP ++If the handle is for a transient object, then a handle that will be ++assigned to the persisted object must also be specified with the ++\f[B]\-S\f[] option. ++.PP ++If the handle is for a persistent object, then the \f[B]\-S\f[] does not ++need to be provided since the handle must be the same for both options. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-context\f[]=\f[I]OBJECT_CONTEXT_FILE\f[]: ++Filename for object context. ++.IP \[bu] 2 ++\f[B]\-S\f[], \f[B]\-\-persistent\f[]=\f[I]PERSISTENT_HANDLE\f[]: The ++persistent handle for the object handle specified via \f[I]HANDLE\f[]. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-pwda\f[]=\f[I]AUTH_PASSWORD\f[]: authorization ++password, optional. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_evictcontrol\ \-A\ o\ \-c\ object.context\ \-S\ 0x81010002\ \-P\ abc123 ++tpm2_evictcontrol\ \-A\ o\ \-H\ 0x81010002\ \-S\ 0x81010002\ \-P\ abc123 ++tpm2_evictcontrol\ \-A\ o\ \-H\ 0x81010002\ \-S\ 0x81010002\ \-P\ 123abc ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_getcap.1 b/man/man1/tpm2_getcap.1 +new file mode 100644 +index 000000000000..c7547a52ef35 +--- /dev/null ++++ b/man/man1/tpm2_getcap.1 +@@ -0,0 +1,161 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_getcap" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_getcap\f[](1) \- Display TPM capabilities in a human readable ++form. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_getcap\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_getcap\f[](1) \- Query the TPM for it\[aq]s capabilities / ++properties and dump them to the console. ++This is a thin wrapper around the GetCapability command. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-capability\f[]=\f[I]CAPABILITY_NAME\f[]: The name ++of the capability group to query. ++Currently supported capability groups are: ++.RS 2 ++.IP \[bu] 2 ++properties\-fixed: Display fixed TPM properties. ++.IP \[bu] 2 ++properties\-variable: Display variable TPM properties. ++.IP \[bu] 2 ++algorithms: Display data about supported algorithms. ++.IP \[bu] 2 ++commands: Display data about supported commands. ++.IP \[bu] 2 ++ecc\-curves: Display data about elliptic curves. ++.IP \[bu] 2 ++handles\-transient: Display handles about transient objects. ++.IP \[bu] 2 ++handles\-persistent: Display handles about persistent objects. ++.IP \[bu] 2 ++handles\-permanent: Display handles about permanent objects. ++.IP \[bu] 2 ++handles\-pcr: Display handles about PCRs. ++.IP \[bu] 2 ++handles\-nv\-index: Display handles about NV Indices. ++.IP \[bu] 2 ++handles\-loaded\-session: Display handles about both loaded HMAC and ++policy sessions. ++.IP \[bu] 2 ++handles\-saved\-session: Display handles about saved sessions. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_getcap\ \-\-capability="properties\-fixed" ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_getmanufec.1 b/man/man1/tpm2_getmanufec.1 +new file mode 100644 +index 000000000000..93b2a485c73e +--- /dev/null ++++ b/man/man1/tpm2_getmanufec.1 +@@ -0,0 +1,225 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_getmanufec" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_getmanufec\f[](1) \- Retrieve the Endorsement Credential ++Certificate for the TPM endorsement key from the TPM manufacturer\[aq]s ++endorsement certificate hosting server. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_getmanufec\f[] [\f[I]OPTIONS\f[]] [\f[I]URL\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_getmanufec\f[](1) \- Retrieve the Endorsement Credential ++Certificate for the TPM endorsement key from the TPM manufacturer\[aq]s ++endorsement certificate hosting server. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-e\f[], \f[B]\-\-endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]: ++specifies current endorse password (string, optional,default:NULL). ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[]: ++specifies current owner password (string, optional,default:NULL). ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-ek\-passwd\f[]=\f[I]EK_PASSWORD\f[]: specifies ++the EK password when created (string,optional,default:NULL). ++.RS 2 ++.PP ++Passwords should follow the password formatting standards, see section ++"Password Formatting". ++.RE ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\-\-handle\f[]=\f[I]HANDLE\f[]: specifies the handle ++used to make EK persistent (hex). ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\-\-alg\f[]=\f[I]ALGORITHM\f[]: specifies the ++algorithm type of EK. ++See section "Supported Public Object Algorithms" for a list of supported ++object algorithms. ++See section "Algorithm Specifiers" on how to specify an algorithm ++argument. ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\-\-output\f[]=\f[I]FILE\f[]: Specifies the file used ++to save the public portion of EK. ++.IP \[bu] 2 ++\f[B]\-N\f[], \f[B]\-\-non\-persistent\f[]: specifies to readout the EK ++public without making it persistent. ++.IP \[bu] 2 ++\f[B]\-O\f[], \f[B]\-\-offline\f[]=\f[I]FILE\f[]: Specifies the file ++that contains an EK retrieved from offline platform that needs to be ++provisioned. ++.IP \[bu] 2 ++\f[B]\-E\f[], \f[B]\-\-ec\-cert\f[]=\f[I]EC_CERT_FILE\f[]: Specifies the ++file used to save the Endorsement Credentials retrieved from the TPM ++manufacturer provisioning server. ++Defaults to stdout if not specified. ++.IP \[bu] 2 ++\f[B]\-U\f[], \f[B]\-\-SSL_NO_VERIFY\f[]: specifies to attempt ++connecting with the TPM manufacturer provisioning server with ++SSL_NO_VERIFY option. ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Supported Public Object Algorithms ++.PP ++Supported public object algorithms are: ++.IP \[bu] 2 ++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] ++(\f[B]default\f[]). ++.IP \[bu] 2 ++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. ++.IP \[bu] 2 ++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. ++.IP \[bu] 2 ++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support "nice\-names". ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH NOTES ++.PP ++When the verbose option is specified, additional curl debugging ++information is provided by setting the curl mode verbose, see: ++ for more ++information. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_getmanufec\ \-e\ abc123\ \-o\ abc123\ \-P\ passwd\ \-H\ 0x81010001\-g\ 0x01\ \-O\ \-N\ \-U\ \-E\ ECcert.bin\ \-f\ ek.bin\ https://tpm.manufacturer.com/ekcertserver/ ++tpm2_getmanufec\ \-e\ 1a1b1c\ \-o\ 1a1b1c\ \-P\ 123abc\ \-H\ 0x81010001\-g\ 0x01\ \-O\ \-N\ \-U\ \-E\ ECcert.bin\ \-f\ ek.bin\ https://tpm.manufacturer.com/ekcertserver/ ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_getpubak.1 b/man/man1/tpm2_getpubak.1 +new file mode 100644 +index 000000000000..32f9ca0222e9 +--- /dev/null ++++ b/man/man1/tpm2_getpubak.1 +@@ -0,0 +1,241 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_getpubak" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_getpubak\f[](1) \- Generate attestation key with given ++algorithm under the endorsement hierarchy. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_getpubak\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_getpubak\f[](1) \- Generate attestation key with given ++algorithm under endorsement hierarchy, make it persistent with given ak ++handle, and return pub AK and AK name. ++If any passwd option is missing, assume NULL. ++.PP ++The tool outputs to stdout a YAML representation of the loaded key ++handle as well as it\[aq]s name, for example: ++.IP ++.nf ++\f[C] ++loaded\-key: ++\ \ handle:\ 800000ff ++\ \ name:\ 000bac149518baa05540a0678bd9b624f8a98d042e46c60f4d098ba394d36fc49268 ++\f[] ++.fi ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-e\f[], \f[B]\-\-endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]: ++Specifies current endorsement password, defaults to NULL. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-ak\-passwd\f[]=\f[I]AK_PASSWORD\f[] Specifies the ++AK password when created, defaults to NULL. ++Same formatting as the endorse password value or \-e option. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[] ++Specifies the current owner password, defaults to NULL. ++Same formatting as the endorse password value or \-e option. ++.IP \[bu] 2 ++\f[B]\-E\f[], \f[B]\-\-ek\-handle\f[]=\f[I]EK_HANDLE\f[]: Specifies the ++handle used to make EK persistent. ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\-\-ak\-handle\f[]=\f[I]AK_HANDLE\f[]: Specifies the ++handle used to make AK persistent. ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\-\-alg\f[]=\f[I]ALGORITHM\f[]: Specifies the ++algorithm type of AK. ++Algorithms should follow the " formatting standards, see section ++"Algorithm Specifiers". ++See section "Supported Public Object Algorithms" for a list of supported ++object algorithms. ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\-\-alg\f[]=\f[I]ALGORITHM\f[]: Like \-g, but ++specifies the algorithm of sign. ++See section "Supported Signing Algorithms" for details. ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\-\-file\f[]=\f[I]FILE\f[]: Specifies the file used ++to save the public portion of AK. ++This will be a binary data structure corresponding to the TPM2B_PUBLIC ++struct in the specification. ++.IP \[bu] 2 ++\f[B]\-n\f[], \f[B]\-\-ak\-name\f[]=\f[I]NAME\f[]: Specifies the file ++used to save the ak name, optional. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Supported Signing Algorithms ++.PP ++Supported algorithms are: ++.IP \[bu] 2 ++\f[B]0x5\f[] or \f[B]hmac\f[] for \f[B]TPM_ALG_HMAC\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0x14\f[] or \f[B]rsassa\f[] for \f[B]TPM_ALG_RSASSA\f[] ++.IP \[bu] 2 ++\f[B]0x16\f[] or \f[B]rsapss\f[] for \f[B]TPM_ALG_RSAPSS\f[] ++.IP \[bu] 2 ++\f[B]0x18\f[] or \f[B]ecdsa\f[] for \f[B]TPM_ALG_ECDSA\f[] ++.IP \[bu] 2 ++\f[B]0x1A\f[] or \f[B]ecdaa\f[] for \f[B]TPM_ALG_ECDAA\f[] ++.IP \[bu] 2 ++\f[B]0x1B\f[] or \f[B]sm2\f[] for \f[B]TPM_ALG_SM2\f[] ++.IP \[bu] 2 ++\f[B]0x1C\f[] or \f[B]ecschnorr\f[] for \f[B]TPM_ALG_ECSCHNORR\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Supported Public Object Algorithms ++.PP ++Supported public object algorithms are: ++.IP \[bu] 2 ++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] ++(\f[B]default\f[]). ++.IP \[bu] 2 ++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. ++.IP \[bu] 2 ++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. ++.IP \[bu] 2 ++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support "nice\-names". ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_getpubak\ \-e\ abc123\ \-P\ abc123\ \-o\ passwd\ \-E\ 0x81010001\ \-k\ 0x81010002\ \-f\ ./ak.pub\ \-n\ ./ak.name ++tpm2_getpubak\ \-e\ 1a1b1c\ \-P\ 123abc\ \-o\ 1a1b1c\ \-X\ \-E\ 0x81010001\ \-k\ 0x81010002\ \-f\ ./ak.pub\ \-n\ ./ak.name ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_getpubek.1 b/man/man1/tpm2_getpubek.1 +new file mode 100644 +index 000000000000..1115b1095c6c +--- /dev/null ++++ b/man/man1/tpm2_getpubek.1 +@@ -0,0 +1,189 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_getpubek" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_getpubek\f[](1) \- Generate TCG profile compliant endorsement ++key. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_getpubek\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_getpubek\f[](1) \- Generate TCG profile compliant endorsement ++key(endorsement hierarchy primary object), make it persistent with give ++ek handle, and return public EK, if any passwd option is missing, assume ++NULL. ++.PP ++Refer to: ++ ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-e\f[], \f[B]\-\-endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]: ++Specifies current endorsement password, defaults to NULL. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[] ++Specifies the current owner password, defaults to NULL. ++Same formatting as the endorse password value or \-e option. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-eKPasswd\f[]=\f[I]EK_PASSWORD\f[] Specifies the ++EK password when created, defaults to NULL. ++Same formatting as the endorse password value or \-e option. ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\-\-handle\f[]=\f[I]HANDLE\f[]: specifies the handle ++used to make EK persistent (hex). ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\-\-alg\f[]=\f[I]ALGORITHM\f[]: specifies the ++algorithm type of EK. ++See section "Supported Public Object Algorithms" for a list of supported ++object algorithms. ++See section "Algorithm Specifiers" on how to specify an algorithm ++argument. ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\-\-file\f[]=\f[I]FILE\f[]: specifies the file used ++to save the public portion of EK. ++This will be a binary data structure corresponding to the TPM2B_PUBLIC ++struct in the specification. ++.IP \[bu] 2 ++\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION\f[]: ++Optional Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Supported Public Object Algorithms ++.PP ++Supported public object algorithms are: ++.IP \[bu] 2 ++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] ++(\f[B]default\f[]). ++.IP \[bu] 2 ++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. ++.IP \[bu] 2 ++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. ++.IP \[bu] 2 ++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support "nice\-names". ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_getpubek\ \-e\ abc123\ \-o\ abc123\ \-P\ passwd\ \-H\ 0x81010001\ \-g\ rsa\ \-f\ ek.pub ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_getrandom.1 b/man/man1/tpm2_getrandom.1 +new file mode 100644 +index 000000000000..1b345f3d43df +--- /dev/null ++++ b/man/man1/tpm2_getrandom.1 +@@ -0,0 +1,144 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_getrandom" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_getrandom\f[](1) \- Retrieves random bytes from the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_getrandom\f[] [\f[I]OPTIONS\f[]] \f[I]SIZE\f[] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_getrandom\f[](1) \- Returns the next \f[I]SIZE\f[] octets from ++the random number generator. ++The \f[I]SIZE\f[] parameter is expected as the only argument to the ++tool. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-output\f[]=\f[I]FILE\f[] specifies the filename ++to output the raw bytes to. ++Defaults to stdout as a hex string. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.PP ++Generate a random 20 bytes and output the binary data to a file: ++.IP ++.nf ++\f[C] ++tpm2_getrandom\ \-o\ random.out\ 20 ++\f[] ++.fi ++.PP ++Generate a random 8 bytes and output the hex formated data to stdout: ++.IP ++.nf ++\f[C] ++tpm2_getrandom\ 8 ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_hash.1 b/man/man1/tpm2_hash.1 +new file mode 100644 +index 000000000000..5c18718ce893 +--- /dev/null ++++ b/man/man1/tpm2_hash.1 +@@ -0,0 +1,190 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_hash" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_hash\f[](1) \- Performs a hash operation with the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_hash\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_hash\f[](1) \- performs a hash operation on \f[I]FILE\f[] and ++returns the results. ++If \f[I]FILE\f[] is not specified, then data is read from stdin. ++If the results of the hash will be used in a signing operation that uses ++a restricted signing key, then the ticket returned by this command can ++indicate that the hash is safe to sign. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\-\-hierarchy\f[]=\f[I]HIERARCHY\f[]: hierarchy to ++use for the ticket. ++Supported options are: ++.RS 2 ++.IP \[bu] 2 ++\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.IP \[bu] 2 ++\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[] ++.IP \[bu] 2 ++\f[B]n\f[] for \f[B]TPM_RH_NULL\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]HASH_ALGORITHM\f[]: The hash ++algorithm to use. ++Algorithms should follow the "formatting standards, see section ++"Algorithm Specifiers". ++Also, see section "Supported Hash Algorithms" for a list of supported ++hash algorithms. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-outfile\f[]=\f[I]OUT_FILE\f[] Optional file ++record of the hash result. ++Defaults to stdout in hex form. ++.IP \[bu] 2 ++\f[B]\-t\f[], \f[B]\-\-ticket\f[]=\f[I]TICKET_FILE\f[] Optional file ++record of the ticket result. ++Defaults to stdout in hex form. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support "nice\-names". ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.PP ++Hash a file with sha1 hash algorithm and save the hash and ticket to a ++file: ++.IP ++.nf ++\f[C] ++tpm2_hash\ \-H\ e\ \-g\ sha1\ \-o\ hash.bin\ \-t\ ticket.bin\ data.txt ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_hmac.1 b/man/man1/tpm2_hmac.1 +new file mode 100644 +index 000000000000..fbb81f947f0d +--- /dev/null ++++ b/man/man1/tpm2_hmac.1 +@@ -0,0 +1,214 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_hmac" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_hmac\f[](1) \- Performs an HMAC operation with the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_hmac\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_hmac\f[](1) \- performs an HMAC operation on \f[I]FILE\f[] and ++returns the results. ++If \f[I]FILE\f[] is not specified, then data is read from stdin. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_CONTEXT_FILE\f[]: The ++key handle for the symmetric signing key providing the HMAC key. ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: The ++filename of the key context used for the operation. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: The password for ++key, optional. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]HASH_ALGORITHM\f[]: The hash ++algorithm to use. ++Algorithms should follow the "formatting standards, see section ++"Algorithm Specifiers". ++Also, see section "Supported Hash Algorithms" for a list of supported ++hash algorithms. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-outfile\f[]=\f[I]OUT_FILE\f[] Optional file ++record of the HMAC result. ++Defaults to stdout. ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support "nice\-names". ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.PP ++Perform a SHA1 HMAC on data.in and send output and possibly ticket to ++stdout: ++.IP ++.nf ++\f[C] ++tpm2_hmac\ \-k\ 0x81010002\ \-P\ abc123\ \-g\ sha1\ data.in ++\f[] ++.fi ++.PP ++Perform a SHA1 HMAC on data.in read as a file to stdin and send output ++to a file: ++.IP ++.nf ++\f[C] ++tpm2_hmac\ \-c\ key.context\ \-P\ abc123\ \-g\ sha1\ \-o\ hash.out\ <<\ data.in ++\f[] ++.fi ++.PP ++Perform a SHA256 HMAC on \f[I]stdin\f[] and send result and possibly ++ticket to stdout: ++.PP ++cat data.in | tpm2_hmac \-k 0x81010002 \-g sha256 \-o hash.out ``` ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_listpersistent.1 b/man/man1/tpm2_listpersistent.1 +new file mode 100644 +index 000000000000..ba1e31e8c596 +--- /dev/null ++++ b/man/man1/tpm2_listpersistent.1 +@@ -0,0 +1,185 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_listpersistent" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_listpersistent\f[](1) \- Display all defined persistent ++objects. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_listpersistent\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_listpersistent\f[](1) \- display all defined persistent ++objects. ++.SH OPTIONS ++.PP ++These options for listing the persistent objects: ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]ALGORITHM\f[]: Only display ++persistent objects using this hash algorithm. ++Algorithms should follow the " formatting standards, see section ++"Algorithm Specifiers". ++Also, see section "Supported Hash Algorithms" for a list of supported ++hash algorithms. ++.IP \[bu] 2 ++\f[B]\-G\f[], \f[B]\-\-kalg\f[]=\f[I]KEY_ALGORITHM\f[]: Only display ++persistent objects using this key algorithm. ++It accepts friendly names just like \f[B]\-g\f[] option. ++See section "Supported Public Object Algorithms" for a list of supported ++object algorithms. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Supported Public Object Algorithms ++.PP ++Supported public object algorithms are: ++.IP \[bu] 2 ++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] ++(\f[B]default\f[]). ++.IP \[bu] 2 ++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. ++.IP \[bu] 2 ++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. ++.IP \[bu] 2 ++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support "nice\-names". ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_listpersistent ++tpm2_listpersistent\ \-g\ sha256\ \-G\ ecc ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_load.1 b/man/man1/tpm2_load.1 +new file mode 100644 +index 000000000000..20358a3a9dac +--- /dev/null ++++ b/man/man1/tpm2_load.1 +@@ -0,0 +1,174 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_load" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_load\f[](1) \- Load an object into the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_load\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_load\f[](1) \- Load both the private and public portions of an ++object into the TPM. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\-\-parent\f[]=\f[I]PARENT_HANDLE\f[]: The handle of ++the parent object. ++Either this option or \f[B]\-c\f[] must be used. ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-context\-parent\f[]=\f[I]PARENT_CONTEXT_FILE\f[]: ++The filename for parent context. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: The ++password for parent key, optional. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.IP \[bu] 2 ++\f[B]\-u\f[], \f[B]\-\-pubfile\f[]=\f[I]PUBLIC_OBJECT_DATA_FILE\f[]: A ++file containing the public portion of the object. ++.IP \[bu] 2 ++\f[B]\-r\f[], \f[B]\-\-privfile\f[]=\f[I]PRIVATE_OBJECT_DATA_FILE\f[]: A ++file containing the sensitive portion of the object. ++.IP \[bu] 2 ++\f[B]\-n\f[], \f[B]\-\-name\f[]=\f[I]NAME_DATA_FILE\f[]: An optional ++file to save the name structure of the object. ++.IP \[bu] 2 ++\f[B]\-C\f[], \f[B]\-\-context\f[]=\f[I]CONTEXT_FILE\f[]: An optional ++file to save the object context to. ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_load\ \ \-H\ 0x80000000\ \-P\ abc123\ \-u\ \ \-r\ \ \-n\ ++tpm2_load\ \ \-c\ parent.context\ \-P\ abc123\ \-u\ \ \-r\ \ \-n\ \ \-C\ object.context ++tpm2_load\ \ \-H\ 0x80000000\ \-P\ "hex:123abc"\ \-u\ \ \-r\ \ \-n\ ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_loadexternal.1 b/man/man1/tpm2_loadexternal.1 +new file mode 100644 +index 000000000000..b4be6d9a2892 +--- /dev/null ++++ b/man/man1/tpm2_loadexternal.1 +@@ -0,0 +1,166 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_loadexternal" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_loadexternal\f[](1) \- load an object that is not a Protected ++Object into the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_loadexternal\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_loadexternal\f[](1) \- load an object that is not a Protected ++Object into the TPM. ++The command allows loading of a public area or both a public and a ++sensitive area. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\-\-hierarchy\f[]=\f[I]HIERARCHY\f[]: hierarchy to ++use for the ticket. ++Supported options are: ++.RS 2 ++.IP \[bu] 2 ++\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.IP \[bu] 2 ++\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[] ++.IP \[bu] 2 ++\f[B]n\f[] for \f[B]TPM_RH_NULL\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-u\f[], \f[B]\-\-pubfile\f[]=\f[I]PUBLIC_FILE\f[]: The public ++portion of the object. ++.IP \[bu] 2 ++\f[B]\-r\f[], \f[B]\-\-privfile\f[]=\f[I]PRIVATE_FILE\f[]: The sensitive ++portion of the object, optional. ++.IP \[bu] 2 ++\f[B]\-C\f[], \f[B]\-\-context\f[]=\f[I]CONTEXT_FILE\f[] The file to ++save the object context, optional. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.PP ++Load a public area generated by tpm2_create, tpm2_readpublic or manually ++.IP ++.nf ++\f[C] ++tpm2_loadexternal\ \-H\ \ \-u\ \ \-C\ object.context ++\f[] ++.fi ++.PP ++Load a key with sensitive area. ++Both the public & the senstive areas shall be generated externally. ++\f[I]DON\[aq]T\f[] use the areas generated by tpm2_create. ++.IP ++.nf ++\f[C] ++tpm2_loadexternal\ \-H\ n\ \-u\ \ \-r\ \ \-C\ object.context ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_makecredential.1 b/man/man1/tpm2_makecredential.1 +new file mode 100644 +index 000000000000..90cae8c0ecb1 +--- /dev/null ++++ b/man/man1/tpm2_makecredential.1 +@@ -0,0 +1,142 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_makecredential" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_makecredential\f[](1) \- load an object that is not a ++Protected Object into the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_makecredential\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_makecredential\f[](1) \- Use a TPM public key to protect a ++secret that is used to encrypt the AK certififcate. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-e\f[], \f[B]\-\-enckey\f[]=\f[I]PUBLIC_FILE\f[]: A tpm Public Key ++which was used to wrap the seed. ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\-\-sec\f[]=\f[I]SECRET_DATA_FILE\f[]: The secret ++which will be protected by the key derived from the random seed. ++.IP \[bu] 2 ++\f[B]\-n\f[], \f[B]\-\-name\f[]=\f[I]NAME\f[] The name of the key for ++which certificate is to be created. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUT_FILE\f[] The output file ++path, recording the two structures output by tpm2_makecredential ++function. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_makecredential\ \-e\ \ \-s\ \ \-n\ \ \-o\ ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_nvdefine.1 b/man/man1/tpm2_nvdefine.1 +new file mode 100644 +index 000000000000..95c8c84be731 +--- /dev/null ++++ b/man/man1/tpm2_nvdefine.1 +@@ -0,0 +1,203 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_nvdefine" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_nvdefine\f[](1) \- define a TPM Non\-Volatile (NV) index. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_nvdefine\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_nvdefine\f[](1) \- Define NV index with given auth value. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index ++to define the space at. ++.IP \[bu] 2 ++\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: ++specifies the handle used to authorize: ++.RS 2 ++.IP \[bu] 2 ++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\-\-size\f[]=\f[I]SIZE\f[]: specifies the size of ++data area in bytes. ++Defaults to MAX_NV_INDEX_SIZE which is typically 2048. ++.IP \[bu] 2 ++\f[B]\-t\f[], \f[B]\-\-attributes\f[]=\f[I]ATTRIBUTES\f[] Specifies the ++attribute values for the nv region used when creating the entitiy. ++Either the raw bitfield mask or "nice\-names" may be used. ++See section "NV Attributes" for more details. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: ++specifies the password of authHandle. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.IP \[bu] 2 ++\f[B]\-I\f[], \f[B]\-\-index\-passwd\f[]=\f[I]INDEX_PASSWORD\f[]: ++specifies the password of NV Index when created. ++Follows the same formatting guidelines as the handle password or \-P ++option. ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\-\-policy\-file\f[]=\f[I]POLICY_FILE\f[]: Specifies ++the policy digest file for policy based authorizations. ++.IP \[bu] 2 ++\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]: ++Optional Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH NV Attributes ++.PP ++NV Attributes are used to control various properties of the NV defined ++space. ++When specified as an option, either the raw bitfield mask or ++"nice\-names" may be used. ++The values can be found in Table 204 Part 2 of the TPM2.0 specification, ++which can be found here: ++.PP ++ ++.PP ++Nice names are calculated by taking the name field of table 204 and ++removing the prefix \f[B]TPMA_NV_\f[] and lowercasing the result. ++Thus, \f[B]TPMA_NV_PPWRITE\f[] becomes ppwrite. ++Nice names can be joined using the bitwise or "|" symbol. ++.PP ++Note that the \f[B]TPM_NT\f[] field is 4 bits wide, and thus can be set ++via \f[B]nt=\f[] format. ++For instance, to set The fields \f[B]TPMA_NV_OWNERREAD\f[], ++\f[B]TPMA_NV_OWNERWRITE\f[], \f[B]TPMA_NV_POLICYWRITE\f[], and ++\f[B]TPMA_NT = 0x3\f[], the argument would be: ++.PP ++\f[B]ownerread|ownerwrite|policywrite|nt=0x3\f[] # Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_nvdefine\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32\ \-t\ 0x2000A ++tpm2_nvdefine\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32\ \-t\ ownerread|ownerwrite|policywrite\ \-I\ 1a1b1c ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_nvlist.1 b/man/man1/tpm2_nvlist.1 +new file mode 100644 +index 000000000000..ac8c5dec8743 +--- /dev/null ++++ b/man/man1/tpm2_nvlist.1 +@@ -0,0 +1,192 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_nvlist" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_nvlist\f[](1) \- display all defined Non\-Volatile (NV)s ++indices. ++.SS SYNOPSIS ++.PP ++\f[B]tpm2_nvlist\f[] [\f[I]OPTIONS\f[]] ++.SS DESCRIPTION ++.PP ++\f[B]tpm2_nvlist\f[](1) \- display all defined Non\-Volatile (NV)s ++indices to stdout in a YAML format. ++.PP ++Display metadata for all defined NV indices. ++Metadata includes: ++.IP \[bu] 2 ++The size of the defined region. ++.IP \[bu] 2 ++The hash algorithm used to compute the name of the index. ++.IP \[bu] 2 ++The auth policy. ++.IP \[bu] 2 ++The NV attributes as defined in section "NV Attributes". ++.PP ++Example Output: ++.IP ++.nf ++\f[C] ++0x1500015: ++\ \ hash\ algorithm: ++\ \ \ \ friendly:\ sha256 ++\ \ \ \ value:\ 0xB ++\ \ attributes: ++\ \ \ \ friendly:\ ownerwrite|ownerread ++\ \ \ \ value:\ 0x2000200 ++\ \ size:\ 32 ++\ \ authorization\ policy: ++ ++0x1500017: ++\ \ hash\ algorithm: ++\ \ \ \ friendly:\ sha256 ++\ \ \ \ value:\ 0xB ++\ \ attributes: ++\ \ \ \ friendly:\ ownerwrite|ownerread ++\ \ \ \ value:\ 0x2000200 ++\ \ size:\ 32 ++\ \ authorization\ policy: ++\f[] ++.fi ++.SH OPTIONS ++.PP ++This tool takes no tool specific options. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH NV Attributes ++.PP ++NV Attributes are used to control various properties of the NV defined ++space. ++When specified as an option, either the raw bitfield mask or ++"nice\-names" may be used. ++The values can be found in Table 204 Part 2 of the TPM2.0 specification, ++which can be found here: ++.PP ++ ++.PP ++Nice names are calculated by taking the name field of table 204 and ++removing the prefix \f[B]TPMA_NV_\f[] and lowercasing the result. ++Thus, \f[B]TPMA_NV_PPWRITE\f[] becomes ppwrite. ++Nice names can be joined using the bitwise or "|" symbol. ++.PP ++Note that the \f[B]TPM_NT\f[] field is 4 bits wide, and thus can be set ++via \f[B]nt=\f[] format. ++For instance, to set The fields \f[B]TPMA_NV_OWNERREAD\f[], ++\f[B]TPMA_NV_OWNERWRITE\f[], \f[B]TPMA_NV_POLICYWRITE\f[], and ++\f[B]TPMA_NT = 0x3\f[], the argument would be: ++.PP ++\f[B]ownerread|ownerwrite|policywrite|nt=0x3\f[] # EXAMPLES ++.PP ++To list the defined NV indeces to stdout: ++.IP ++.nf ++\f[C] ++tpm2_nvlist ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_nvread.1 b/man/man1/tpm2_nvread.1 +new file mode 100644 +index 000000000000..59025e755dd0 +--- /dev/null ++++ b/man/man1/tpm2_nvread.1 +@@ -0,0 +1,193 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_nvread" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_nvread\f[](1) \- Read the data stored in a Non\-Volatile (NV)s ++index. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_nvread\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_nvread\f[](1) \- Read the data stored in a Non\-Volatile (NV)s ++index. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index ++to define the space at. ++.IP \[bu] 2 ++\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: ++specifies the handle used to authorize: ++.RS 2 ++.IP \[bu] 2 ++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\-\-output\f[]=\f[I]FILE\f[]: file to write data ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: ++specifies the password of authHandle. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\-\-size\f[]=\f[I]SIZE\f[]: Specifies the size of ++data to be read in bytes, starting from 0 if offset is not specified. ++If not specified, the size of the data as reported by the public portion ++of the index will be used. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-offset\f[]=\f[I]OFFSET\f[]: The offset within the ++NV index to start reading from. ++.IP \[bu] 2 ++\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]: ++Optional Input session handle from a policy session for authorization. ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\-\-set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]: ++.RS 2 ++.PP ++The list of pcr banks and selected PCRs\[aq] ids. ++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers ++standards, see section "PCR Bank Specfiers". ++.RE ++.IP \[bu] 2 ++\f[B]\-F\f[],**\-\-pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[] ++.RS 2 ++.PP ++Optional Path or Name of the file containing expected pcr values for the ++specified index. ++Default is to read the current PCRs per the set list. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.PP ++To read 32 bytes from an index starting at offset 0: ++.IP ++.nf ++\f[C] ++tpm2_nvread\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32 ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_nvreadlock.1 b/man/man1/tpm2_nvreadlock.1 +new file mode 100644 +index 000000000000..3dcb5c9e51fc +--- /dev/null ++++ b/man/man1/tpm2_nvreadlock.1 +@@ -0,0 +1,168 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_nvreadlock" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_nvreadlock\f[](1) \- lock the Non\-Volatile (NV) index for ++further reads. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_nvreadlock\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_nvreadlock\f[](1) \- lock the Non\-Volatile (NV) index for ++further reads. ++The index is released on subsequent restart of the machine. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index ++to define the space at. ++.IP \[bu] 2 ++\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: ++specifies the handle used to authorize: ++.RS 2 ++.IP \[bu] 2 ++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: ++specifies the password of authHandle. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.IP \[bu] 2 ++\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]: ++Optional Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.PP ++To lock an index protected by a password: ++.IP ++.nf ++\f[C] ++tpm2_nvreadlock\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-P\ passwd ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_nvrelease.1 b/man/man1/tpm2_nvrelease.1 +new file mode 100644 +index 000000000000..be984d747144 +--- /dev/null ++++ b/man/man1/tpm2_nvrelease.1 +@@ -0,0 +1,167 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_nvrelease" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_nvrelease\f[](1) \- Release a Non\-Volatile (NV) index. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_nvrelease\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_nvrelease\f[](1) \- Release a Non\-Volatile (NV) index that ++was previously defined with tpm2_nvdefine(1). ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index ++to release. ++.IP \[bu] 2 ++\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: ++specifies the handle used to authorize: ++.RS 2 ++.IP \[bu] 2 ++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\-\-size\f[]=\f[I]SIZE\f[]: specifies the size of ++data area in bytes. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: ++specifies the password of authHandle. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.IP \[bu] 2 ++\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]: ++Optional Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_nvrelease\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-P\ passwd ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_nvwrite.1 b/man/man1/tpm2_nvwrite.1 +new file mode 100644 +index 000000000000..8f69e026d49f +--- /dev/null ++++ b/man/man1/tpm2_nvwrite.1 +@@ -0,0 +1,186 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_nvwrite" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_nvwrite\f[](1) \- Write data to a Non\-Volatile (NV) index. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_nvwrite\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_nvwrite\f[](1) \- Write data specified via \f[I]FILE\f[] to a ++Non\-Volatile (NV) index. ++If \f[I]FILE\f[] is not specified, it defaults to stdout. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-x\f[], \f[B]\-\-index\f[]=\f[I]NV_INDEX\f[]: Specifies the index ++to define the space at. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-offset\f[]=\f[I]OFFSET\f[]: The offset within the ++NV index to start writing at. ++.IP \[bu] 2 ++\f[B]\-a\f[], \f[B]\-\-auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: ++specifies the handle used to authorize: ++.RS 2 ++.IP \[bu] 2 ++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: ++specifies the password of authHandle. ++Passwords should follow the "password formatting standards, see section ++"Password Formatting". ++.IP \[bu] 2 ++\f[B]\-S\f[], \f[B]\-\-input\-session\-handle\f[]=\f[I]SIZE\f[]: ++Optional Input session handle from a policy session for authorization. ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\-\-set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]: ++.RS 2 ++.PP ++The list of pcr banks and selected PCRs\[aq] ids. ++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers ++standards, see section "PCR Bank Specfiers". ++.RE ++.IP \[bu] 2 ++\f[B]\-F\f[],**\-\-pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[] ++.RS 2 ++.PP ++Optional Path or Name of the file containing expected pcr values for the ++specified index. ++Default is to read the current PCRs per the set list. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.PP ++To write the file nv.data to index 0x150016: ++.IP ++.nf ++\f[C] ++tpm2_nvwrite\ \-x\ 0x1500016\ \-a\ 0x40000001\ nv.data ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_pcrevent.1 b/man/man1/tpm2_pcrevent.1 +new file mode 100644 +index 000000000000..1359d00dbc6d +--- /dev/null ++++ b/man/man1/tpm2_pcrevent.1 +@@ -0,0 +1,162 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_pcrevent" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_pcrevent\f[](1) \- hashes a file and optionally extends a pcr. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_pcrevent\f[] [\f[I]OPTIONS\f[]] [\f[I]FILE\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_pcrevent\f[](1) hashes \f[I]FILE\f[] if specified or stdin. ++It uses all of the hashing algorithms that the tpm supports. ++Optionally, if a pcr index is specified, it extends that pcr for all ++supported algorithms with the hash digest. ++In either case, it outputs to stdout the hash algorithm used and the ++digest value, one per line: ++.PP ++\f[I]alg\f[]:\f[I]digest\f[] ++.PP ++Where \f[I]alg\f[] is the algorithm used (eg. ++sha1) and \f[I]digest\f[] is the digest resulting from the hash ++computation of \f[I]alg\f[] on the data. ++.PP ++See sections 23.1 and sections 17 of the TPM2.0 ++Specification (https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf) ++.SH OPTIONS ++.PP ++These options control extending the pcr: ++.IP \[bu] 2 ++\f[B]\-i\f[], \f[B]\-\-pcr\-index\f[]=\f[I]INDEX\f[]: Not only compute ++the hash digests on \f[I]FILE\f[], also extend the pcr given by ++\f[I]INDEX\f[] for all supported hash algorithms. ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Use ++\f[I]SESSION_HANDLE\f[] for providing an authorization session for the ++pcr specified by \f[I]INDEX\f[]. ++It is an error to specify \f[B]\-S\f[] without specifying a pcr index ++with \f[B]\-i\f[]. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-password\f[]=\f[I]PASSWORD\f[]: Use ++\f[I]PASSWORD\f[] for providing an authorization value for the pcr ++specified in \f[I]INDEX\f[]. ++It is an error to specify \f[B]\-P\f[] without specifying a pcr index ++with \f[B]\-i\f[]. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.PP ++Hash a file: ++.PP ++tpm2_pcrevent data ++.PP ++Hash a file and extend pcr 8: ++.PP ++tpm2_pcrevent \-i 8 data ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_pcrextend.1 b/man/man1/tpm2_pcrextend.1 +new file mode 100644 +index 000000000000..5a4a232907f6 +--- /dev/null ++++ b/man/man1/tpm2_pcrextend.1 +@@ -0,0 +1,178 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_pcrextend" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_pcrextend\f[](1) \- Extends a PCR. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_pcrextend\f[] [\f[I]OPTIONS\f[]] [\f[I]PCR_DIGEST_SPEC\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_pcrextend\f[](1) Extends the pcrs with values indicated by ++\f[I]PCR_DIGEST_SPEC\f[]. ++.PP ++A \f[I]PCR_DIGEST_SPEC\f[] is defined as follows: ++.IP \[bu] 2 ++A numerical pcr identifier. ++.IP \[bu] 2 ++A colon followed by the algorithm hash specification. ++The algorithm hash specification is as follows: ++.RS 2 ++.IP \[bu] 2 ++The algorithm friendly name or raw numerical. ++.IP \[bu] 2 ++An equals sign. ++.IP \[bu] 2 ++The hex hash value. ++.RE ++.PP ++Example Digest Specification: ++.IP ++.nf ++\f[C] ++4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 ++\f[] ++.fi ++.PP ++\f[B]Note\f[]: that multiple specifications of PCR and hash are allowed. ++Multiple hashes cause the pcr to be extended with both hashes. ++Multiple same PCR values cause the PCR to be extended multiple times. ++Extension is done in order from left to right as specified. ++At most 5 hash extensions per PCR entry are supported. ++This is to keep the parser simple. ++.SH OPTIONS ++.PP ++This tool accepts no tool specific options. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.PP ++Extend PCR 4\[aq]s SHA1 bank with a hash: ++.IP ++.nf ++\f[C] ++tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 ++\f[] ++.fi ++.PP ++Extend PCR 4\[aq]s SHA1 and SHA256 banks with hashes: ++.IP ++.nf ++\f[C] ++tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15,sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c ++\f[] ++.fi ++.PP ++Extend PCR 4\[aq]s SHA1 and PCR 7\[aq]s SHA256 bank with hashes: ++.IP ++.nf ++\f[C] ++tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15\ 7:sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_pcrlist.1 b/man/man1/tpm2_pcrlist.1 +new file mode 100644 +index 000000000000..fb9a329da20b +--- /dev/null ++++ b/man/man1/tpm2_pcrlist.1 +@@ -0,0 +1,246 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_pcrlist" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_pcrlist\f[](1) \- List PCR values. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_pcrlist\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_pcrlist\f[](1) Displays PCR values. ++Without any options, \f[B]tpm2_pcrlist\f[] outputs all pcrs and their ++hash banks. ++One can use either the \f[B]\-g\f[] or \f[B]\-L\f[] mutually exclusive ++options to filter the output. ++.PP ++Output is writtien in a YAML format to stdout, with each algorithm ++followed by a PCR index and its value. ++As a simple example assume just sha1 and sha256 support and only 1 PCR. ++The output would be: ++.IP ++.nf ++\f[C] ++sha1\ : ++\ \ 0\ \ :\ 0000000000000000000000000000000000000003 ++sha256\ : ++\ \ 0\ \ :\ 0000000000000000000000000000000000000000000000000000000000000003 ++\f[] ++.fi ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\-\-algorithm\f[]=\f[I]HASH_ALGORITHM\f[]: Only ++output PCR banks with the given algorithm. ++Algorithms should follow the "formatting standards, see section ++"Algorithm Specifiers". ++Also, see section "Supported Hash Algorithms" for a list of supported ++hash algorithms. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-output\f[]=\f[I]FILE\f[]: The output file to ++write the PCR values in binary format, optional. ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\-\-sel\-list\f[]=\f[I]PCR_SELECTION_LIST\f[]: ++.RS 2 ++.PP ++The list of pcr banks and selected PCRs\[aq] ids for each bank to ++display. ++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers ++standards, see section "PCR Bank Specfiers". ++.RE ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\-\-algs\f[]: Output the list of supported ++algorithms. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH PCR Bank Specfiers ++.PP ++PCR Bank Selection lists follow the below specification: ++.IP ++.nf ++\f[C] ++:[,] ++\f[] ++.fi ++.PP ++multiple banks may be separated by \[aq]+\[aq]. ++.PP ++For example: ++.IP ++.nf ++\f[C] ++sha:3,4+sha256:5,6 ++\f[] ++.fi ++.PP ++will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the ++SHA256 bank. ++.SS Note ++.PP ++PCR Selections allow for up to 5 hash to pcr selection mappings. ++This is a limitaion in design in the single call to the tpm to get the ++pcr values. ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support "nice\-names". ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.PP ++display all PCR values: ++.IP ++.nf ++\f[C] ++tpm2_pcrlist ++\f[] ++.fi ++.PP ++Display the PCR values with a specified bank: ++.IP ++.nf ++\f[C] ++tpm2_pcrlist\ \-g\ sha1 ++\f[] ++.fi ++.PP ++Display the PCR values with specified banks and store in a file: ++.IP ++.nf ++\f[C] ++tpm2_pcrlist\ \-L\ sha1:16,17,18+sha256:16,17,18\ \-o\ pcrs ++\f[] ++.fi ++.PP ++Display the supported PCR bank algorithms and exit: ++.IP ++.nf ++\f[C] ++tpm2_pcrlist\ \-s ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_quote.1 b/man/man1/tpm2_quote.1 +new file mode 100644 +index 000000000000..3d49cb84dbce +--- /dev/null ++++ b/man/man1/tpm2_quote.1 +@@ -0,0 +1,255 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_quote" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_quote\f[](1) \- Provide a quote and signature from the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_quote\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_quote\f[](1) Provide quote and signature for given list of ++PCRs in given algorithm/banks. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\-\-ak\-handle\f[]=\f[I]AK_HANDLE\f[]: ++.RS 2 ++.PP ++Handle of existing AK. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-ak\-context\f[]=\f[I]AK_CONTEXT_FILE\f[]: ++.RS 2 ++.PP ++Filename for the existing AK\[aq]s context. ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-ak\-password\f[]=\f[I]AK_PASSWORD\f[]: ++.RS 2 ++.PP ++specifies the password of \f[I]AK_HANDLE\f[]. ++Passwords should follow the password formatting standards, see section ++"Password Formatting". ++.RE ++.IP \[bu] 2 ++\f[B]\-l\f[], \f[B]\-\-id\-list\f[]=\f[I]PCR_ID_LIST\f[] ++.RS 2 ++.PP ++The comma separated list of selected PCRs\[aq] ids, 0~23 e.g. ++"4,5,6". ++.RE ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\-\-sel\-list\f[]=\f[I]PCR_SELECTION_LIST\f[]: ++.RS 2 ++.PP ++The list of pcr banks and selected PCRs\[aq] ids for each bank. ++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers ++standards, see section "PCR Bank Specfiers". ++.RE ++.IP \[bu] 2 ++\f[B]\-m\f[], \f[B]\-\-message\f[]: ++.RS 2 ++.PP ++message output file, records the quote message that makes up the data ++that is signed by the TPM. ++.RE ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\-\-signature\f[]: ++.RS 2 ++.PP ++signature output file, records the signature in the format specified via ++the \f[B]\-f\f[] option. ++.RE ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\-\-format\f[] ++.RS 2 ++.PP ++Format selection for the signature output file. ++See section "Signature Format Specifiers". ++.RE ++.IP \[bu] 2 ++\f[B]\-q\f[], \f[B]\-\-qualify\-data\f[]: ++.RS 2 ++.PP ++Data given as a Hex string to qualify the quote, optional. ++This is typically used to add a nonce against replay attacks. ++.RE ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.IP \[bu] 2 ++\f[B]\-G\f[], \f[B]\-\-sig\-hash\-algorithm\f[]: ++.RS 2 ++.PP ++Hash algorithm for signature. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH PCR Bank Specfiers ++.PP ++PCR Bank Selection lists follow the below specification: ++.IP ++.nf ++\f[C] ++:[,] ++\f[] ++.fi ++.PP ++multiple banks may be separated by \[aq]+\[aq]. ++.PP ++For example: ++.IP ++.nf ++\f[C] ++sha:3,4+sha256:5,6 ++\f[] ++.fi ++.PP ++will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the ++SHA256 bank. ++.SS Note ++.PP ++PCR Selections allow for up to 5 hash to pcr selection mappings. ++This is a limitaion in design in the single call to the tpm to get the ++pcr values. ++.SH Signature Format Specifiers ++.PP ++Format selection for the signature output file. ++\f[B]tss\f[] (the default) will output a binary blob according to the ++TPM 2.0 specification and any potential compiler padding. ++The option \f[B]plain\f[] will output the plain signature data as ++defined by the used cryptographic algorithm. ++# EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_quote\ \-k\ 0x81010002\ \-P\ abc123\ \-g\ sha1\ \-l\ 16,17,18 ++tpm2_quote\ \-c\ ak.context\ \-P\ "str:abc123"\ \-g\ sha1\ \-l\ 16,17,18 ++tpm2_quote\ \-k\ 0x81010002\ \-g\ sha1\ \-l\ 16,17,18 ++tpm2_quote\ \-c\ ak.context\ \-g\ sha1\ \-l\ 16,17,18 ++tpm2_quote\ \-k\ 0x81010002\ \-P\ "hex:123abc"\ \-L\ sha1:16,17,18+sha256:16,17,18\ \-q\ 11aa22bb ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_rc_decode.1 b/man/man1/tpm2_rc_decode.1 +new file mode 100644 +index 000000000000..492eea90607c +--- /dev/null ++++ b/man/man1/tpm2_rc_decode.1 +@@ -0,0 +1,132 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_rc_decode" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_rc_decode\f[](1) \- Decode TPM2 error codes to human readable ++format. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_rc_decode\f[] [\f[I]OPTIONS\f[]] \f[I]RC_CODE\f[] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_rc_decode\f[](1) converts \f[I]RC_CODE\f[] originating from ++the SAPI and TCTI into human readable errors. ++Analogous to strerror(3), but for the tpm2 stack. ++.SH OPTIONS ++.PP ++This tool takes no tool specific options. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_rc_decode\ 0x100 ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_readpublic.1 b/man/man1/tpm2_readpublic.1 +new file mode 100644 +index 000000000000..ccc8c4010af1 +--- /dev/null ++++ b/man/man1/tpm2_readpublic.1 +@@ -0,0 +1,155 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_readpublic" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_readpublic\f[](1) \- Read the public area of a loaded object. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_readpublic\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_readpublic\f[](1) Reads the public area of a loaded object. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\-\-object\f[]=\f[I]HANDLE\f[]: ++.RS 2 ++.PP ++The loaded object handle to read the public data of. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-ak\-context\f[]=\f[I]OBJECT_CONTEXT_FILE\f[]: ++.RS 2 ++.PP ++Filename for object context. ++.RE ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-opu\f[]: ++.RS 2 ++.PP ++The output file path, recording the public portion of the object. ++.RE ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\-\-format\f[]: ++.RS 2 ++.PP ++Format selection for the public key output file. ++\[aq]tss\[aq] (the default) will output a binary blob according to the ++TPM 2.0 secification. ++\[aq]pem\[aq] will output an OpenSSL compatible PEM encoded public key. ++\[aq]der\[aq] will output an OpenSSL compatible DER encoded public key. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_readpublic\ \-H\ 0x81010002\ \-\-opu\ output.dat ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_rsadecrypt.1 b/man/man1/tpm2_rsadecrypt.1 +new file mode 100644 +index 000000000000..dede7d971717 +--- /dev/null ++++ b/man/man1/tpm2_rsadecrypt.1 +@@ -0,0 +1,191 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_rsadecrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_rsadecrypt\f[](1) \- Performs an RSA Decryption operation ++using the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_tpm2_rsadecrypt\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_rsadecrypt\f[](1) performs RSA decryption using the indicated ++padding scheme according to IETF RFC 3447 (PKCS#1). ++The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[]. ++.PP ++The key referenced by keyHandle is \f[B]required\f[] to be: ++.IP "1." 3 ++an RSA key ++.IP "2." 3 ++Have the attribute \f[I]decrypt\f[] \f[B]SET\f[] in it\[aq]s attributes. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]: ++.RS 2 ++.PP ++the public portion of RSA key to use for decryption. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: ++.RS 2 ++.PP ++filename of the key context used for the operation. ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: ++.RS 2 ++.PP ++specifies the password of \f[I]KEY_HANDLE\f[]. ++Passwords should follow the password formatting standards, see section ++"Password Formatting". ++.RE ++.IP \[bu] 2 ++\f[B]\-I\f[], \f[B]\-\-in\-file\f[]=\f[I]INPUT\f[]: ++.RS 2 ++.PP ++Input file path, containing the data to be decrypted. ++.RE ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUTPUT_FILE\f[]: ++.RS 2 ++.PP ++Output file path, record the decrypted data. ++.RE ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: ++.RS 2 ++.PP ++Optional Input session handle from a policy session for authorization. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_rsadecrypt\ \-k\ 0x81010001\ \-I\ encrypted.in\ \-o\ plain.out ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_rsaencrypt.1 b/man/man1/tpm2_rsaencrypt.1 +new file mode 100644 +index 000000000000..29e2bcd7e9df +--- /dev/null ++++ b/man/man1/tpm2_rsaencrypt.1 +@@ -0,0 +1,188 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_rsaencrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_rsaencrypt\f[](1) \- Performs an RSA Encryption operation ++using the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_rsaencrypt\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_rsaencrypt\f[](1) performs RSA encryption on the contents of ++\f[I]FILE\f[] (defaulting to stdin) using the indicated padding scheme ++according to IETF RFC 3447 (PKCS#1). ++The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[]. ++.PP ++The key referenced by keyHandle is \f[B]required\f[] to be: ++.IP "1." 3 ++an RSA key ++.IP "2." 3 ++Have the attribute \f[I]decrypt\f[] \f[B]SET\f[] in it\[aq]s attributes. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]: ++.RS 2 ++.PP ++the public portion of RSA key to use for encryption. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: ++.RS 2 ++.PP ++filename of the key context used for the operation. ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: ++.RS 2 ++.PP ++specifies the password of \f[I]KEY_HANDLE\f[]. ++Passwords should follow the password formatting standards, see section ++"Password Formatting". ++.RE ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUTPUT_FILE\f[]: ++.RS 2 ++.PP ++Output file path, record the decrypted data. ++The default is to print an xxd compatible hexdump to stdout. ++If a file is specified, raw binary output is performed. ++.RE ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: ++.RS 2 ++.PP ++Optional Input session handle from a policy session for authorization. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_rsaencrypt\ \-k\ 0x81010001\ \-I\ plain.in\ \-o\ encrypted.out ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_send.1 b/man/man1/tpm2_send.1 +new file mode 100644 +index 000000000000..193b66d101b7 +--- /dev/null ++++ b/man/man1/tpm2_send.1 +@@ -0,0 +1,154 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_send" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_send\f[](1) \- Send a raw command buffer to the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_send\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_send\f[](1) Sends a TPM command to the TPM. ++The command is read from a file as a binary stream and transmitted to ++the TPM using the TCTI specified by the caller. ++The response received from the TPM is written to the output file. ++.PP ++Likely the caller will want to redirect this to a file or into a program ++to decode and display the response in a human readable form. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-i\f[], \f[B]\-\-input\f[]=\f[I]INPUT\f[]: ++.RS 2 ++.PP ++Input file to read a command buffer from. ++Defaults to stdin. ++.RE ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-out\-file\f[]=\f[I]OUTPUT_FILE\f[]: ++.RS 2 ++.PP ++Output file to send response buffer to. ++Defaults to stdout. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.PP ++Send the contents of tpm2\-command.bin to a device and collect the ++response as tpm2\-response.bin. ++All examples of below accomplish this task. ++.IP ++.nf ++\f[C] ++tpm2_send\ \-\-tcti=device\ <\ tpm2\-command.bin\ >\ tpm2\-response.bin ++tpm2_send\ \-\-tcti=device\ \-i\ tpm2\-command.bin\ >\ tpm2\-response.bin ++tpm2_send\ \-\-tcti=device\ <\ tpm2\-command.bin\ \-o\ tpm2\-response.bin ++tpm2_send\ \-\-tcti=device\ \-i\ tpm2\-command.bin\ \-o\ tpm2\-response.bin ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_sign.1 b/man/man1/tpm2_sign.1 +new file mode 100644 +index 000000000000..67e079619fba +--- /dev/null ++++ b/man/man1/tpm2_sign.1 +@@ -0,0 +1,245 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_sign" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_sign\f[](1) \- Sign a hash using the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_sign\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_sign\f[](1) signs an externally provided hash with the ++specified symmetric or asymmetric signing key. ++If keyHandle references a restricted signing key, then validation shall ++be provided, indicating that the TPM performed the hash of the data and ++validation shall indicate that hashed data did not start with ++\f[B]TPM_GENERATED_VALUE\f[]. ++The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[]. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]: ++.RS 2 ++.PP ++Handle of key that will perform signing. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: ++.RS 2 ++.PP ++Filename of the key context used for the operation. ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: ++.RS 2 ++.PP ++Specifies the password of \f[I]KEY_HANDLE\f[]. ++Passwords should follow the password formatting standards, see section ++"Password Formatting". ++.RE ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]HASH_ALGORITHM\f[]: ++.RS 2 ++.PP ++The hash algorithm used to digest the message. ++Algorithms should follow the "formatting standards, see section ++"Algorithm Specifiers". ++Also, see section "Supported Hash Algorithms" for a list of supported ++hash algorithms. ++.RE ++.IP \[bu] 2 ++\f[B]\-m\f[], \f[B]\-\-msg\f[]=\f[I]MSG_FILE\f[]: ++.RS 2 ++.PP ++The message file, containing the content to be digested. ++.RE ++.IP \[bu] 2 ++\f[B]\-t\f[], \f[B]\-\-ticket\f[]=\f[I]TICKET_FILE\f[]: ++.RS 2 ++.PP ++The ticket file, containning the validation structure, optional. ++.RE ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\-\-sig\f[]=\f[I]TICKET_FILE\f[]: ++.RS 2 ++.PP ++The signature file, records the signature structure. ++.RE ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\-\-format\f[] ++.RS 2 ++.PP ++Format selection for the signature output file. ++See section "Signature Format Specifiers". ++.RE ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: ++.RS 2 ++.PP ++Optional Input session handle from a policy session for authorization. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support "nice\-names". ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH Signature Format Specifiers ++.PP ++Format selection for the signature output file. ++\f[B]tss\f[] (the default) will output a binary blob according to the ++TPM 2.0 specification and any potential compiler padding. ++The option \f[B]plain\f[] will output the plain signature data as ++defined by the used cryptographic algorithm. ++# EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_sign\ \-k\ 0x81010001\ \-P\ abc123\ \-g\ sha256\ \-m\ \ \-s\ \ \-t\ ++tpm2_sign\ \-c\ key.context\ \-P\ abc123\ \-g\ sha256\ \-m\ \ \-s\ \ \-t\ ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_startup.1 b/man/man1/tpm2_startup.1 +new file mode 100644 +index 000000000000..ca40b6bceb79 +--- /dev/null ++++ b/man/man1/tpm2_startup.1 +@@ -0,0 +1,139 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_startup" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_startup\f[](1) \- Send a startup command to the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_startup\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_startup\f[](1) Send a \f[B]TPM2_Startup\f[] command with ++either \f[B]TPM_SU_CLEAR\f[] or \f[B]TPM_SU_STATE\f[]. ++.PP ++\f[B]NOTE\f[]: Typically a Resource Manager or low\-level/boot software ++will have already sent this command. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-clear\f[]: ++.RS 2 ++.PP ++Startup type sent will be \f[B]TPM_SU_CLEAR\f[] instead of ++\f[B]TPM2_SU_STATE\f[]. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_startup ++tpm2_startup\ \-c ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_takeownership.1 b/man/man1/tpm2_takeownership.1 +new file mode 100644 +index 000000000000..aee0bc7d4ced +--- /dev/null ++++ b/man/man1/tpm2_takeownership.1 +@@ -0,0 +1,220 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_takeownership" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_takeownership\f[](1) \- Insert authorization values for the ++owner, endorsement and lockout authorizations. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_takeownership\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_takeownership\f[](1) \- performs a hash operation on ++\f[I]FILE\f[] and returns the results. ++If \f[I]FILE\f[] is not specified, then data is read from stdin. ++If the results of the hash will be used in a signing operation that uses ++a restricted signing key, then the ticket returned by this command can ++indicate that the hash is safe to sign. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-owner\-password\f[]=\f[I]OWNER_PASSWORD\f[]: The ++new owner authorization value. ++.RS 2 ++.PP ++Passwords should follow the password formatting standards, see section ++"Password Formatting". ++.RE ++.IP \[bu] 2 ++\f[B]\-e\f[], \f[B]\-\-endorse\-password\f[]=\f[I]ENDORSE_PASSWORD\f[]: ++.RS 2 ++.PP ++The new endorse authorization value. ++Passwords should follow the same formatting requirements as the \-o ++option. ++.RE ++.IP \[bu] 2 ++\f[B]\-l\f[], \f[B]\-\-lockout\-password\f[]=\f[I]LOCKOUT_PASSWORD\f[]: ++.RS 2 ++.PP ++The new lockout authorization value. ++.PP ++The new endorse authorization value. ++Passwords should follow the same formatting requirements as the \-o ++option. ++.RE ++.IP \[bu] 2 ++\f[B]\-O\f[], ++\f[B]\-\-old\-ownerPassword\f[]=\f[I]OLD_OWNER_PASSWORD\f[]: ++.RS 2 ++.PP ++The old owner authorization value. ++Passwords should follow the same formatting requirements as the \-o ++option. ++.RE ++.IP \[bu] 2 ++\f[B]\-E\f[], ++\f[B]\-\-old\-endorsePassword\f[]=\f[I]OLD_ENDORSE_PASSWORD\f[]: ++.RS 2 ++.PP ++The old endorse authorization value. ++Passwords should follow the same formatting requirements as the \-o ++option. ++.RE ++.IP \[bu] 2 ++\f[B]\-L\f[], ++\f[B]\-\-old\-lockoutPassword\f[]=\f[I]OLD_LOCKOUT_PASSWORD\f[]: ++.RS 2 ++.PP ++The old lockout authorization value. ++Passwords should follow the same formatting requirements as the \-o ++option. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-clear\f[]: ++.RS 2 ++.PP ++Clears the 3 authorizations values with lockout auth, thus one must ++specify \-L. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.PP ++Set owner, endorsement and lockout authorizations to an empty auth ++value: ++.IP ++.nf ++\f[C] ++tpm2_takeownership\ \-c\ \-L\ oldlockoutpasswd ++\f[] ++.fi ++.PP ++Set owner, endorsement and lockout authorizations to a new value: ++.IP ++.nf ++\f[C] ++tpm2_takeownership\ \-o\ newo\ \-e\ newe\ \-l\ newl\ \-O\ oldo\ \-E\ olde\ \-L\ oldl ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_unseal.1 b/man/man1/tpm2_unseal.1 +new file mode 100644 +index 000000000000..81a3b6696b7a +--- /dev/null ++++ b/man/man1/tpm2_unseal.1 +@@ -0,0 +1,232 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_unseal" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_unseal\f[](1) \- Returns the data in a loaded Sealed Data ++Object. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_unseal\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_unseal\f[](1) \- \-returns the data in a loaded Sealed Data ++Object. ++.PP ++\f[B]NOTE\f[]: The \f[B]\-\-set\-list\f[] and ++\f[B]\-\-pcr\-input\-file\f[] options should only be used for simple PCR ++authentication policies. ++For more complex policies the tools should be ran in an execution ++environment that keeps the session context alive and pass that session ++using the \f[B]\-\-input\-session\-handle\f[] option. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\-\-item\f[]=\f[I]ITEM_HANDLE\f[]: ++.RS 2 ++.PP ++Item handle of loaded object. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-item\-context\f[]=\f[I]ITEM_CONTEXT_FILE\f[]: ++.RS 2 ++.PP ++Filename of the item context. ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\-\-pwdk\f[]=\f[I]KEY_PASSWORD\f[]: ++.RS 2 ++.PP ++Specifies the password of \f[I]ITEM_HANDLE\f[]. ++Passwords should follow the password formatting standards, see section ++"Password Formatting". ++.RE ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\-\-outfile\f[]=\f[I]OUT_FILE\f[]: ++.RS 2 ++.PP ++Output file name, containing the unsealed data. ++Defaults to stdout if not specified. ++.RE ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: ++.RS 2 ++.PP ++Optional Input session handle from a policy session for authorization. ++.RE ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\-\-set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]: ++.RS 2 ++.PP ++The list of pcr banks and selected PCRs\[aq] ids. ++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers ++standards, see section "PCR Bank Specfiers". ++.RE ++.IP \[bu] 2 ++\f[B]\-F\f[],**\-\-pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[] ++.RS 2 ++.PP ++Optional Path or Name of the file containing expected pcr values for the ++specified index. ++Default is to read the current PCRs per the set list. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH PCR Bank Specfiers ++.PP ++PCR Bank Selection lists follow the below specification: ++.IP ++.nf ++\f[C] ++:[,] ++\f[] ++.fi ++.PP ++multiple banks may be separated by \[aq]+\[aq]. ++.PP ++For example: ++.IP ++.nf ++\f[C] ++sha:3,4+sha256:5,6 ++\f[] ++.fi ++.PP ++will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the ++SHA256 bank. ++.SS Note ++.PP ++PCR Selections allow for up to 5 hash to pcr selection mappings. ++This is a limitaion in design in the single call to the tpm to get the ++pcr values. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_unseal\ \-H\ 0x81010001\ \-P\ abc123\ \-o\ out.dat ++tpm2_unseal\ \-c\ item.context\ \-P\ abc123\ \-o\ out.dat ++tpm2_unseal\ \-H\ 0x81010001\ \-P\ "hex:123abc"\ \-o\ out.dat ++tpm2_unseal\ \-c\ item.context\ \-L\ sha1:0,1,2\ \-F\ out.dat ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff --git a/man/man1/tpm2_verifysignature.1 b/man/man1/tpm2_verifysignature.1 +new file mode 100644 +index 000000000000..ed047386d4f8 +--- /dev/null ++++ b/man/man1/tpm2_verifysignature.1 +@@ -0,0 +1,244 @@ ++.\" Automatically generated by Pandoc 1.19.1 ++.\" ++.TH "tpm2_verifysignature" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_verifysignature\f[](1) \- Validates a signature using the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_verifysignature\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_verifysignature\f[](1) uses loaded keys to validate a ++signature on a message with the message digest passed to the TPM. ++If the signature check succeeds, then the TPM will produce a ++\f[B]TPMT_TK_VERIFIED\f[]. ++Otherwise, the TPM shall return \f[B]TPM_RC_SIGNATURE\f[]. ++If \f[I]KEY_HANDLE\f[] references an asymmetric key, only the public ++portion of the key needs to be loaded. ++If \f[I]KEY_HANDLE\f[] references a symmetric key, both the public and ++private portions need to be loaded. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\-\-key\-handle\f[]=\f[I]KEY_HANDLE\f[]: ++.RS 2 ++.PP ++Handle of key that will used in the validation. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\-\-key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: ++.RS 2 ++.PP ++Filename of the key context used for the operation. ++.RE ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\-\-halg\f[]=\f[I]HASH_ALGORITHM\f[]: ++.RS 2 ++.PP ++The hash algorithm used to digest the message. ++Algorithms should follow the "formatting standards, see section ++"Algorithm Specifiers". ++Also, see section "Supported Hash Algorithms" for a list of supported ++hash algorithms. ++.RE ++.IP \[bu] 2 ++\f[B]\-m\f[], \f[B]\-\-msg\f[]=\f[I]MSG_FILE\f[]: ++.RS 2 ++.PP ++The message file, containing the content to be digested. ++.RE ++.IP \[bu] 2 ++\f[B]\-D\f[], \f[B]\-\-digest\f[]=\f[I]DIGEST_FILE\f[]: ++.RS 2 ++.PP ++The input hash file, containing the hash of the message. ++If this option is selected, then the message (\f[B]\-m\f[]) and ++algorithm (\f[B]\-g\f[]) options do not need to be specified. ++.RE ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\-\-sig\f[]=\f[I]SIG_FILE\f[]: ++.RS 2 ++.PP ++The input signature file of the signature to be validated. ++.RE ++.IP \[bu] 2 ++\f[B]\-r\f[], \f[B]\-\-raw\f[]: ++.RS 2 ++.PP ++Set the input signature file to raw type. ++The default is TPMT_SIGNATURE. ++.RE ++.IP \[bu] 2 ++\f[B]\-t\f[], \f[B]\-\-ticket\f[]=\f[I]TICKET_FILE\f[]: ++.RS 2 ++.PP ++The ticket file to record the validation structure. ++.RE ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\-\-input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: ++.RS 2 ++.PP ++Optional Input session handle from a policy session for authorization. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\-\-help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this ++tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\-\-verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\-\-quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\-\-enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is "/dev/tpm0". ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++"/dev/tpmrm\f[B]\f[]", typically "/dev/tpmrm0". ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\-\-tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[B]:\f[I]TCTI_OPTIONS\f[]\f[]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the "hex:" prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support "nice\-names". ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_verifysignature\ \-k\ 0x81010001\ \-g\ sha256\ \-m\ \ \-s\ \ \-t\ ++tpm2_verifysignature\ \-k\ 0x81010001\ \-D\ \ \-s\ \ \-t\ ++tpm2_verifysignature\ \-c\ key.context\ \-g\ sha256\ \-m\ \ \-s\ \ \-t\ ++\f[] ++.fi ++.PP ++RETURNS ++.PP ++0 on success or 1 on failure. ++.PP ++BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.PP ++HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +-- +2.14.3 + diff --git a/SOURCES/autoconf-fixup.patch b/SOURCES/autoconf-fixup.patch new file mode 100644 index 0000000..1ff90e8 --- /dev/null +++ b/SOURCES/autoconf-fixup.patch @@ -0,0 +1,10 @@ +diff -urN tpm2-tools-3.0.1/configure.ac tpm2-tools-3.0.1-new/configure.ac +--- tpm2-tools-3.0.1/configure.ac 2017-12-08 11:19:47.000000000 -0700 ++++ tpm2-tools-3.0.1-new/configure.ac 2017-12-15 10:01:43.128340107 -0700 +@@ -1,5 +1,4 @@ +-AC_INIT([tpm2-tools], +- [m4_esyscmd_s([git describe --tags --always --dirty])]) ++AC_INIT([tpm2-tools],[3.0.1]) + AC_CONFIG_MACRO_DIR([m4]) + AC_PROG_CC + LT_INIT diff --git a/SOURCES/ekservaddr.patch b/SOURCES/ekservaddr.patch deleted file mode 100644 index 496e180..0000000 --- a/SOURCES/ekservaddr.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp ---- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp 2017-04-05 11:26:04.740073304 -0700 -+++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp 2017-04-05 11:26:53.973845213 -0700 -@@ -615,8 +615,7 @@ - printf("TPM Manufacturer Endorsement Credential Server Address cannot be NULL\n"); - return -99; - } -- EKserverAddr = (char *)malloc(strlen(optarg)); -- strncpy(EKserverAddr, optarg, strlen(optarg)); -+ EKserverAddr = strdup(optarg); - printf("TPM Manufacturer EK provisioning address -- %s\n", EKserverAddr); - break; - default: diff --git a/SOURCES/fix-resource-leak-InitSysContext.patch b/SOURCES/fix-resource-leak-InitSysContext.patch deleted file mode 100644 index e5dcf61..0000000 --- a/SOURCES/fix-resource-leak-InitSysContext.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -ur tpm2.0-tools-1.1.0/src/syscontext.c tpm2.0-tools-1.1.0-new/src/syscontext.c ---- tpm2.0-tools-1.1.0/src/syscontext.c 2016-11-04 07:13:32.000000000 -0700 -+++ tpm2.0-tools-1.1.0-new/src/syscontext.c 2017-04-04 22:46:07.365948473 -0700 -@@ -59,8 +59,10 @@ - - if( rval == TSS2_RC_SUCCESS ) - return sysContext; -- else -+ else { -+ free(sysContext); - return 0; -+ } - } - else - { diff --git a/SOURCES/max-nv-buffer.patch b/SOURCES/max-nv-buffer.patch new file mode 100644 index 0000000..aebdf94 --- /dev/null +++ b/SOURCES/max-nv-buffer.patch @@ -0,0 +1,28 @@ +diff -urN tpm2-tools-3.0.1/tools/tpm2_nvread.c tpm2-tools-3.0.1-new/tools/tpm2_nvread.c +--- tpm2-tools-3.0.1/tools/tpm2_nvread.c 2017-12-11 08:34:01.000000000 -0700 ++++ tpm2-tools-3.0.1-new/tools/tpm2_nvread.c 2017-12-15 18:08:18.361935382 -0700 +@@ -120,6 +120,10 @@ + return false; + } + ++ if (max_data_size > MAX_NV_BUFFER_SIZE) { ++ max_data_size = MAX_NV_BUFFER_SIZE; ++ } ++ + UINT8 *data_buffer = malloc(data_size); + if (!data_buffer) { + LOG_ERR("oom"); +diff -urN tpm2-tools-3.0.1/tools/tpm2_nvwrite.c tpm2-tools-3.0.1-new/tools/tpm2_nvwrite.c +--- tpm2-tools-3.0.1/tools/tpm2_nvwrite.c 2017-12-11 08:34:01.000000000 -0700 ++++ tpm2-tools-3.0.1-new/tools/tpm2_nvwrite.c 2017-12-15 18:08:09.055066735 -0700 +@@ -116,6 +116,10 @@ + return false; + } + ++ if (max_data_size > MAX_NV_BUFFER_SIZE) { ++ max_data_size = MAX_NV_BUFFER_SIZE; ++ } ++ + UINT16 data_offset = 0; + UINT16 bytes_left = ctx.nv_buffer.t.size; + while (bytes_left > 0) { diff --git a/SOURCES/ret-on-success-rc-decode.patch b/SOURCES/ret-on-success-rc-decode.patch deleted file mode 100644 index b0ee2a5..0000000 --- a/SOURCES/ret-on-success-rc-decode.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -ur tpm2.0-tools-1.1.0/src/tpm2_rc_decode.c tpm2.0-tools-1.1.0-new/src/tpm2_rc_decode.c ---- tpm2.0-tools-1.1.0/src/tpm2_rc_decode.c 2016-11-04 07:13:32.000000000 -0700 -+++ tpm2.0-tools-1.1.0-new/src/tpm2_rc_decode.c 2017-04-05 14:23:36.654804125 -0700 -@@ -246,6 +246,7 @@ - fprintf (stderr, "Unknown TPM_RC format\n"); - return -1; - } -+ return 0; - } - /* Top level function to dump human readable data about TPM_RCs. - */ diff --git a/SOURCES/tpm2-getmanufec-null-ptr-checks.patch b/SOURCES/tpm2-getmanufec-null-ptr-checks.patch deleted file mode 100644 index 65ac086..0000000 --- a/SOURCES/tpm2-getmanufec-null-ptr-checks.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp ---- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp 2017-04-19 10:35:14.803672435 -0700 -+++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp 2017-04-19 19:08:46.515111070 -0700 -@@ -385,6 +385,10 @@ - } - - char *weblink = (char*)malloc(1 + strlen(b64h) + strlen(EKserverAddr)); -+ if (!weblink) { -+ fprintf(stderr, "Memory allocation failed.\n"); -+ return -1; -+ } - memset(weblink, 0, (1 + strlen(b64h) + strlen(EKserverAddr))); - strcat(weblink, EKserverAddr); - strcat(weblink, b64h); -@@ -394,6 +398,11 @@ - - FILE * respfile; - respfile = fopen(ECcertFile, "wb"); -+ if (!respfile) { -+ fprintf(stderr, "Unable to open file: %s\n", ECcertFile); -+ free(weblink); -+ return -1; -+ } - - curl_global_init(CURL_GLOBAL_DEFAULT); - curl = curl_easy_init(); diff --git a/SOURCES/tpm2-listpcrs-select.patch b/SOURCES/tpm2-listpcrs-select.patch deleted file mode 100644 index 1d2693b..0000000 --- a/SOURCES/tpm2-listpcrs-select.patch +++ /dev/null @@ -1,93 +0,0 @@ -diff -ur tpm2.0-tools-1.1.0/src/tpm2_listpcrs.cpp tpm2.0-tools-1.1.0-new/src/tpm2_listpcrs.cpp ---- tpm2.0-tools-1.1.0/src/tpm2_listpcrs.cpp 2017-05-15 15:02:54.844952364 -0700 -+++ tpm2.0-tools-1.1.0-new/src/tpm2_listpcrs.cpp 2017-05-15 15:06:26.224438974 -0700 -@@ -159,38 +159,36 @@ - return 0; - } - --void preparePcrSelections_g(TPMI_ALG_HASH algId) -+int preparePcrSelections(TPMI_ALG_HASH algId) - { -- UINT32 pcrId = 0; -- -- g_pcrSelections.count = 1; -- g_pcrSelections.pcrSelections[0].hash = algId; -- SET_PCR_SELECT_SIZE(g_pcrSelections.pcrSelections[0], 3); -- CLEAR_PCR_SELECT_BITS(g_pcrSelections.pcrSelections[0]); -- -- for(pcrId = 0; pcrId < 24; pcrId++) -+ TPMI_YES_NO moreData; -+ TPMS_CAPABILITY_DATA capabilityData; -+ UINT32 rval; -+ -+ rval = Tss2_Sys_GetCapability( sysContext, 0, TPM_CAP_PCRS, 0, 1, -+ &moreData, &capabilityData, 0 ); -+ if(rval != TPM_RC_SUCCESS) - { -- SET_PCR_SELECT_BIT(g_pcrSelections.pcrSelections[0], pcrId ); -+ printf("\n......GetCapability: Get PCR allocation status Error. TPM Error:0x%x......\n", rval); -+ return -1; - } --} -- --void preparePcrSelections() --{ -- UINT32 pcrId = 0; - - g_pcrSelections.count = 0; -- for( int i = 0; i < g_banks.count; i++ ) -+ for( int i=0; i < capabilityData.data.assignedPCR.count; i++ ) - { -- g_pcrSelections.pcrSelections[i].hash = g_banks.alg[i]; -- SET_PCR_SELECT_SIZE(g_pcrSelections.pcrSelections[i], 3); -- CLEAR_PCR_SELECT_BITS(g_pcrSelections.pcrSelections[i]); -- -- for(pcrId = 0; pcrId < 24; pcrId++) -- { -- SET_PCR_SELECT_BIT(g_pcrSelections.pcrSelections[i], pcrId ); -- } -+ if (algId && (capabilityData.data.assignedPCR.pcrSelections[i].hash != algId)) -+ continue; -+ g_pcrSelections.pcrSelections[g_pcrSelections.count].hash = capabilityData.data.assignedPCR.pcrSelections[i].hash; -+ SET_PCR_SELECT_SIZE(g_pcrSelections.pcrSelections[g_pcrSelections.count], capabilityData.data.assignedPCR.pcrSelections[i].sizeofSelect); -+ for (int j = 0; j < g_pcrSelections.pcrSelections[g_pcrSelections.count].sizeofSelect; j++) -+ g_pcrSelections.pcrSelections[g_pcrSelections.count].pcrSelect[j] = capabilityData.data.assignedPCR.pcrSelections[i].pcrSelect[j]; - g_pcrSelections.count++; - } -+ -+ if (g_pcrSelections.count == 0) -+ return -1; -+ -+ return 0; - } - - // show all PCR banks according to g_pcrSelection & g_pcrs. -@@ -205,7 +203,7 @@ - printf("\nBank/Algorithm: %s(0x%04x)\n", - g_algs[alg_i].desc, g_pcrSelections.pcrSelections[i].hash); - -- for(UINT32 pcrId = 0; pcrId < 24; pcrId++) -+ for(UINT32 pcrId = 0; pcrId < g_pcrSelections.pcrSelections[i].sizeofSelect * 8; pcrId++) - { - if(!TEST_PCR_SELECT_BIT(g_pcrSelections.pcrSelections[i], pcrId)) - continue; -@@ -246,7 +244,8 @@ - - int showAllPcrValues() - { -- preparePcrSelections(); -+ if(preparePcrSelections(0)) -+ return -1; - - if(readPcrValues()) - return -1; -@@ -270,7 +269,8 @@ - - int showAlgPcrValues(TPMI_ALG_HASH algId) - { -- preparePcrSelections_g(algId); -+ if(preparePcrSelections(algId)) -+ return -1; - - if(readPcrValues()) - return -1; diff --git a/SOURCES/tpm2_getmanuc-null-check.patch b/SOURCES/tpm2_getmanuc-null-check.patch deleted file mode 100644 index d195787..0000000 --- a/SOURCES/tpm2_getmanuc-null-check.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp ---- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp 2017-04-05 15:47:18.271030008 -0700 -+++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp 2017-04-05 15:47:39.326377029 -0700 -@@ -332,9 +332,16 @@ - - char *Base64Encode(const unsigned char* buffer) - { -- printf("Calculating the Base64Encode of the hash of the Endorsement Public Key:\n"); - BIO *bio, *b64; - BUF_MEM *bufferPtr; -+ -+ printf("Calculating the Base64Encode of the hash of the Endorsement Public Key:\n"); -+ -+ if (buffer == NULL) { -+ printf("HashEKPublicKey returned null\n"); -+ return NULL; -+ } -+ - b64 = BIO_new(BIO_f_base64()); - bio = BIO_new(BIO_s_mem()); - bio = BIO_push(b64, bio); -@@ -371,6 +378,12 @@ - int RetrieveEndorsementCredentials(char *b64h) - { - printf("Retrieving Endorsement Credential Certificate from the TPM Manufacturer EK Provisioning Server\n"); -+ -+ if (b64h == NULL) { -+ printf("Base64Encode returned null\n"); -+ return -1; -+ } -+ - char *weblink = (char*)malloc(1 + strlen(b64h) + strlen(EKserverAddr)); - memset(weblink, 0, (1 + strlen(b64h) + strlen(EKserverAddr))); - strcat(weblink, EKserverAddr); -@@ -416,8 +429,7 @@ - printf("TPM Manufacturer Endorsement Credential Server Address cannot be NULL\n"); - return -99; - } -- RetrieveEndorsementCredentials(Base64Encode(HashEKPublicKey())); -- return 0; -+ return RetrieveEndorsementCredentials(Base64Encode(HashEKPublicKey())); - } - - void showHelp(const char *name) diff --git a/SOURCES/tpm2_getmanufec-leak-clean.patch b/SOURCES/tpm2_getmanufec-leak-clean.patch deleted file mode 100644 index 08e1e67..0000000 --- a/SOURCES/tpm2_getmanufec-leak-clean.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -ur tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp ---- tpm2.0-tools-1.1.0/src/tpm2_getmanufec.cpp 2017-04-05 15:48:37.613337680 -0700 -+++ tpm2.0-tools-1.1.0-new/src/tpm2_getmanufec.cpp 2017-04-05 15:48:47.806505677 -0700 -@@ -418,6 +418,7 @@ - curl_global_cleanup(); - printf("\n"); - free(weblink); -+ fclose(respfile); - return 0; - } - diff --git a/SOURCES/void-return-listpcrs.patch b/SOURCES/void-return-listpcrs.patch deleted file mode 100644 index e273156..0000000 --- a/SOURCES/void-return-listpcrs.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ur tpm2.0-tools-1.1.0/src/tpm2_listpcrs.cpp tpm2.0-tools-1.1.0-new/src/tpm2_listpcrs.cpp ---- tpm2.0-tools-1.1.0/src/tpm2_listpcrs.cpp 2016-11-04 07:13:32.000000000 -0700 -+++ tpm2.0-tools-1.1.0-new/src/tpm2_listpcrs.cpp 2017-04-05 02:43:59.619719509 -0700 -@@ -159,7 +159,7 @@ - return 0; - } - --int preparePcrSelections_g(TPMI_ALG_HASH algId) -+void preparePcrSelections_g(TPMI_ALG_HASH algId) - { - UINT32 pcrId = 0; - diff --git a/SPECS/tpm2-tools.spec b/SPECS/tpm2-tools.spec index 715d2a9..308ecfa 100644 --- a/SPECS/tpm2-tools.spec +++ b/SPECS/tpm2-tools.spec @@ -1,56 +1,48 @@ Name: tpm2-tools -Version: 1.1.0 -Release: 7%{?dist} +Version: 3.0.1 +Release: 1%{?dist} Summary: A TPM2.0 testing tool build upon TPM2.0-TSS -%global pkg_prefix tpm2.0-tools - License: BSD -URL: https://github.com/01org/tpm2.0-tools -Source0: https://github.com/01org/tpm2.0-tools/archive/v%{version}.tar.gz#/%{pkg_prefix}-%{version}.tar.gz -# RHEL only. code no longer exists upstream -Patch0000: fix-resource-leak-InitSysContext.patch -# RHEL only. Upstream commit 2b6bb441 contains this and more. -# Added code to clean up hash malloc in err paths -Patch0001: HashEKPublicKey-cleanup.patch -# Submitted upstream. https://github.com/01org/tpm2.0-tools/pull/272 -# Slightly different for RHEL due to code differences -Patch0002: tpm2_getmanuc-null-check.patch -# Fix is part of upstream commit 2b6bb441. -Patch0003: tpm2_getmanufec-leak-clean.patch -# Similar to part of upstream commit 2b6bb441. -Patch0004: ekservaddr.patch -# RHEL only. code completely changed upstream -Patch0005: void-return-listpcrs.patch -# Upstream commit 778bd1a0a1b5 -Patch0006: ret-on-success-rc-decode.patch -# Based on part of upstream commit 2b6bb441. -Patch0007: tpm2-getmanufec-null-ptr-checks.patch -# similar fix submitted upstream https://github.com/01org/tpm2.0-tools/pull/284 -Patch0008: tpm2-listpcrs-select.patch - -BuildRequires: gcc +URL: https://github.com/01org/tpm2-tools +Source0: https://github.com/01org/tpm2-tools/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz + +# work around lack of pandoc in RHEL7 +Patch0: add-man-pages.patch +# Deal with RHEL rpmbuilds not being from git +Patch1: autoconf-fixup.patch +# Upstream commit ab1a2d468c4b2ac09a0ac651563653f36a73215f +Patch2: 0001-tpm2_nvwrite-fix-buffer-overflow.patch +# Submitted upstream: https://github.com/intel/tpm2-tools/pull/725 +Patch3: max-nv-buffer.patch + BuildRequires: gcc-c++ BuildRequires: libtool +BuildRequires: autoconf-archive +BuildRequires: pkgconfig(cmocka) BuildRequires: pkgconfig(libcurl) BuildRequires: pkgconfig(openssl) # tpm2-tss-devel provides sapi/tcti-device/tcti-socket BuildRequires: pkgconfig(sapi) BuildRequires: pkgconfig(tcti-device) BuildRequires: pkgconfig(tcti-socket) +BuildRequires: pkgconfig(tcti-tabrmd) # this package does not support big endian arch so far, # and has been verified only on Intel platforms. ExclusiveArch: %{ix86} x86_64 # tpm2-tools is heavily depending on TPM2.0-TSS project, matched tss is required -Requires: tpm2-tss%{?_isa} >= 1.0-2%{?dist} +Requires: tpm2-tss%{?_isa} >= 1.3.0-1%{?dist} + +# tpm2-tools project changed the install path for binaries and man page section +Obsoletes: tpm2-tools <= 2.1.0-2 %description tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss. %prep -%autosetup -p1 -n %{pkg_prefix}-%{version} +%autosetup -p1 -n %{name}-%{version} ./bootstrap %build @@ -61,11 +53,24 @@ tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss. %make_install %files -%doc README.md CHANGELOG +%doc README.md CHANGELOG.md %license LICENSE -%{_sbindir}/tpm2_* +%{_bindir}/tpm2_* +%{_mandir}/man1/tpm2_*.1.gz %changelog +* Wed Dec 13 2017 Jerry Snitselaar - 3.0.1-1 +- Rebase to 3.0.1 release +resolves: rhbz#1463100 + +* Wed Oct 18 2017 Jerry Snitselaar - 2.1.0-2 +- Fix potential memory leak +resolves: rhbz#1463100 + +* Wed Aug 30 2017 Jerry Snitselaar - 2.1.0-1 +- Rebase to 2.1.0 release +resolves: rhbz#1463100 + * Mon May 15 2017 Jerry Snitselaar - 1.1.0-7 - decide pcrs to read based off data returned from TPM2_GetCapability resolves: rhbz#1449276