diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e1a8aa3 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tpm2-tools-3.0.4.tar.gz diff --git a/.tpm2-tools.metadata b/.tpm2-tools.metadata new file mode 100644 index 0000000..dcf7fcc --- /dev/null +++ b/.tpm2-tools.metadata @@ -0,0 +1 @@ +01fbd61699979dcfb7d9cd88bd4fb15118b602d5 SOURCES/tpm2-tools-3.0.4.tar.gz diff --git a/SOURCES/0001-tpm2_create-Use-better-object-attributes-defaults-fo.patch b/SOURCES/0001-tpm2_create-Use-better-object-attributes-defaults-fo.patch new file mode 100644 index 0000000..527697b --- /dev/null +++ b/SOURCES/0001-tpm2_create-Use-better-object-attributes-defaults-fo.patch @@ -0,0 +1,114 @@ +From 1a541fbef647cd495e1c9fb9667d0f0525ff5fd7 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Mon, 30 Jul 2018 11:40:19 +0200 +Subject: [PATCH] tpm2_create: Use better object attributes defaults for + authentication + +The tpm2_create tool allows to define a policy session or a password for +authentication. By default no policy session is used and the password is +empty, which means that this empty password is used for authentication. + +So the default object attribute flag userWithAuth is set in order to use +the empty password. This isn't a good default though if a policy is set, +since in this case the policy session has to be used for authentication +instead of an empty password. + +If a policy is defined, the userWithAuth bit has to be clear unless the +user defines a password so in that case authentication would happen only +using the policy session or the defined password. + +Also add these cases in the integration test to detect regressions. + +Fixes: #1123 + +Signed-off-by: Javier Martinez Canillas +--- + test/system/test_tpm2_unseal.sh | 51 +++++++++++++++++++++++++++++++++ + tools/tpm2_create.c | 4 +++ + 2 files changed, 55 insertions(+) + +diff --git a/test/system/test_tpm2_unseal.sh b/test/system/test_tpm2_unseal.sh +index 1015a43..abfffce 100755 +--- a/test/system/test_tpm2_unseal.sh ++++ b/test/system/test_tpm2_unseal.sh +@@ -109,4 +109,55 @@ unsealed=`tpm2_unseal -c $file_unseal_key_ctx -L ${alg_pcr_policy}:${pcr_ids} -F + + test "$unsealed" == "$secret" + ++# Test that unseal fails if a PCR policy isn't provided ++ ++trap - ERR ++ ++tpm2_unseal -c $file_unseal_key_ctx 2> /dev/null ++if [ $? != 1 ]; then ++ echo "tpm2_unseal didn't fail without a PCR policy!" ++ exit 1 ++fi ++ ++# Test that unseal fails if PCR state isn't the same as the defined PCR policy ++ ++pcr_extend=$(echo $pcr_ids | cut -d ',' -f1) ++ ++tpm2_pcrextend $pcr_extend:sha1=6c10289a8da7f774cf67bd2fc8502cd4b585346a ++ ++tpm2_unseal -c $file_unseal_key_ctx -L ${alg_pcr_policy}:${pcr_ids} -F $file_pcr_value 2> /dev/null ++if [ $? != 1 ]; then ++ echo "tpm2_unseal didn't fail with a PCR state different than the policy!" ++ exit 1 ++fi ++ ++# Test that the object can be unsealed without a policy but a password ++ ++trap onerror ERR ++ ++rm $file_unseal_key_pub $file_unseal_key_priv $file_unseal_key_name ++ ++tpm2_pcrlist -Q -L ${alg_pcr_policy}:${pcr_ids} -o $file_pcr_value ++ ++tpm2_createpolicy -Q -P -L ${alg_pcr_policy}:${pcr_ids} -F $file_pcr_value -f $file_policy ++ ++tpm2_create -Q -g $alg_create_obj -G $alg_create_key -u $file_unseal_key_pub -r $file_unseal_key_priv -I- -c $file_primary_key_ctx -L $file_policy -K secretpass\ ++ -A 'sign|fixedtpm|fixedparent|sensitivedataorigin' <<< $secret ++ ++tpm2_load -Q -c $file_primary_key_ctx -u $file_unseal_key_pub -r $file_unseal_key_priv -n $file_unseal_key_name -C $file_unseal_key_ctx ++ ++unsealed=`tpm2_unseal -c $file_unseal_key_ctx -P secretpass` ++ ++test "$unsealed" == "$secret" ++ ++# Test that unseal fails when using a wrong password ++ ++trap - ERR ++ ++tpm2_unseal -c $file_unseal_key_ctx -P wrongpass 2> /dev/null ++if [ $? != 1 ]; then ++ echo "tpm2_unseal didn't fail when using a wrong object password!" ++ exit 1 ++fi ++ + exit 0 +diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c +index 41d7b42..15166fc 100644 +--- a/tools/tpm2_create.c ++++ b/tools/tpm2_create.c +@@ -256,6 +256,7 @@ static bool on_option(char key, char *value) { + return false; + } + ctx.flags.K = 1; ++ ctx.in_public.t.publicArea.objectAttributes.userWithAuth = 1; + break; + case 'g': + ctx.nameAlg = tpm2_alg_util_from_optarg(value); +@@ -294,6 +295,9 @@ static bool on_option(char key, char *value) { + return false; + } + ctx.flags.L = 1; ++ if (!ctx.flags.K) { ++ ctx.in_public.t.publicArea.objectAttributes.userWithAuth = 0; ++ } + break; + case 'S': + if (!tpm2_util_string_to_uint32(value, &ctx.session_data.sessionHandle)) { +-- +2.17.0 + diff --git a/SOURCES/add-man-pages.patch b/SOURCES/add-man-pages.patch new file mode 100644 index 0000000..9b01694 --- /dev/null +++ b/SOURCES/add-man-pages.patch @@ -0,0 +1,7689 @@ +--- tpm2-tools-3.0.4/Makefile.am 2018-04-30 02:52:17.000000000 -0700 ++++ tpm2-tools-3.0.4-new/Makefile.am 2018-09-10 07:53:19.911780215 -0700 +@@ -273,8 +273,7 @@ + RELEASE.md \ + test/system + +-if HAVE_PANDOC +- man1_MANS := \ ++man1_MANS := \ + man/man1/tpm2_activatecredential.1 \ + man/man1/tpm2_certify.1 \ + man/man1/tpm2_create.1 \ +@@ -315,16 +314,6 @@ + man/man1/tpm2_unseal.1 \ + man/man1/tpm2_verifysignature.1 + +-# If pandoc is enabled, we want to generate the manpages for the dist tarball +-EXTRA_DIST += $(man1_MANS) +-else +-# If pandoc is not enabled, we want to complain that you need pandoc for make dist, +-# so hook the target and complain. +-dist-hook: +- @(>&2 echo "You do not have pandoc, a requirement for the distribution of manpages") +- @exit 1 +-endif +- + MARKDOWN_COMMON_DEPS = \ + man/common/alg.md \ + man/common/hash.md \ +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_activatecredential.1 tpm2-tools-3.0.4-new/man/man1/tpm2_activatecredential.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_activatecredential.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_activatecredential.1 2018-09-10 07:57:12.390603034 -0700 +@@ -0,0 +1,179 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_activatecredential" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_activatecredential\f[](1) \- verify that an object is ++protected with a specific key. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_activatecredential\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++Verify that the given content is protected with given keyHandle for ++given handle, and then decrypt and return the secret, if any passwd ++option is missing, assume NULL. ++Currently only support using TCG profile compliant EK as the keyHandle. ++.SH OPTIONS ++.PP ++These options control the object verification: ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\[en]handle\f[]=\f[I]HANDLE\f[]: \f[I]HANDLE\f[] of ++the object associated with the created certificate by CA. ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_HANDLE\f[]: The ++\f[I]KEY_HANDLE\f[] of Loaded key used to decrypt the the random seed. ++.IP \[bu] 2 ++\f[B]\-C\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: ++\f[I]KEY_CONTEXT_FILE\f[] is the path to a context file. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]password\f[]=\f[I]PASSWORD\f[]: Use ++\f[I]PASSWORD\f[] for providing an authorization value for the ++\f[I]KEY_HANDLE\f[]. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.IP \[bu] 2 ++\f[B]\-e\f[], \f[B]\[en]endorse\-password\f[]=\f[I]ENDORSE_PASSWORD\f[]: ++The endorsement password, optional. ++Follows the same formating guidelines as the handle password option \-P. ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\[en]in\-file\f[]=\f[I]INPUT_FILE\f[]: Input file ++path, containing the two structures needed by tpm2_activatecredential ++function. ++This is created via the tpm2_makecredential(1) command. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]out\-file\f[]=\f[I]OUTPUT_FILE\f[]: Output file ++path, record the secret to decrypt the certificate. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_activatecredential\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ abc123\ \-e\ abc123\ \-f\ \ \-o\ ++tpm2_activatecredential\ \-c\ ak.context\ \-C\ ek.context\ \-P\ abc123\ \-e\ abc123\ \-f\ \ \-o\ ++tpm2_activatecredential\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 123abc\ \-e\ 1a1b1c\ \-X\ \-f\ \ \-o\ ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_certify.1 tpm2-tools-3.0.4-new/man/man1/tpm2_certify.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_certify.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_certify.1 2018-09-10 07:57:12.572600547 -0700 +@@ -0,0 +1,202 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_certify" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_certify\f[](1) \- prove that an object is loaded in the tpm. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_certify\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_certify\f[](1) proves that an object with a specific ++\f[I]NAME\f[] is loaded in the TPM. ++By certifying that the object is loaded, the TPM warrants that a public ++area with a given \f[I]NAME\f[] is self\-consistent and associated with ++a valid sensitive area. ++If a relying party has a public area that has the same \f[I]NAME\f[] as ++a \f[I]NAME\f[] certified with this command, then the values in that ++public area are correct. ++The object may be any object that is loaded with TPM2_Load() or ++TPM2_CreatePrimary(). ++An object that only has its public area loaded cannot be certified. ++.SH OPTIONS ++.PP ++These options control the ceritifcation: ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\[en]obj\-handle\f[]=\f[I]OBJECT_HANDLE\f[]: The ++handle of the object to be certified. ++.IP \[bu] 2 ++\f[B]\-C\f[], \f[B]\[en]obj\-context\f[]=\f[I]FILE\f[]: Use ++\f[I]FILE\f[] for providing the object context. ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_HANDLE\f[]: Handle of ++the key used to sign the attestation structure. ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT\f[]: Filename ++of the key context used to sign the attestation structure. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]pwdo\f[]=\f[I]OBJECT_PASSWORD\f[]: Use ++\f[I]OBJECT_PASSWORD\f[] for providing an authorization value for the ++object specified in \f[I]OBJECT_HANDLE\f[]. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.IP \[bu] 2 ++\f[B]\-K\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: Use ++\f[I]KEY_PASSWORD\f[] for providing an authorization value for the key ++specified in \f[I]KEY_HANDLE\f[]. ++Follows the same formatting guidelines as the object handle password or ++\-P option. ++.IP \[bu] 2 ++\f[B]\-a\f[], \f[B]\[en]attest\-file\f[]=\f[I]ATTEST_FILE\f[]: Output ++file name for the attestation data. ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\[en]sig\-file\f[]=\f[I]SIG_FILE\f[]: Output file ++name for the signature data. ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\[en]format\f[] ++.RS 2 ++.PP ++Format selection for the signature output file. ++See section \[lq]Signature Format Specifiers\[rq]. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Signature Format Specifiers ++.PP ++Format selection for the signature output file. ++\f[B]tss\f[] (the default) will output a binary blob according to the ++TPM 2.0 specification and any potential compiler padding. ++The option \f[B]plain\f[] will output the plain signature data as ++defined by the used cryptographic algorithm. ++# EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_certify\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 0x0011\ \-K\ 0x00FF\ \-g\ 0x00B\ \-a\ \ \-s\ ++tpm2_certify\ \-C\ obj.context\ \-c\ key.context\ \-P\ 0x0011\ \-K\ 0x00FF\ \-g\ 0x00B\ \-a\ \ \-s\ ++tpm2_certify\ \-H\ 0x81010002\ \-k\ 0x81010001\ \-P\ 0011\ \-K\ 00FF\ \-X\ \-g\ 0x00B\ \-a\ \ \-s\ ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_create.1 tpm2-tools-3.0.4-new/man/man1/tpm2_create.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_create.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_create.1 2018-09-10 07:57:12.772597813 -0700 +@@ -0,0 +1,273 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_create" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_create\f[](1) \- create an object that can be loaded into a ++TPM using tpm2_load. ++The object will need to be loaded before it may be used. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_create\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_create\f[](1) \- create an object that can be loaded into a ++TPM using tpm2_load. ++The object will need to be loaded before it may be used. ++.SH OPTIONS ++.PP ++These options for creating the tpm entity: ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\[en]pparent\f[]=\f[I]PARENT_HANDLE\f[]: The handle ++of the parent object to create this object under. ++.IP \[bu] 2 ++\f[B]\-c\f[], ++\f[B]\[en]context\-parent\f[]=\f[I]PARENT_CONTEXT_FILE\f[]: The filename ++for parent context. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: The ++password for parent key, optional. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.IP \[bu] 2 ++\f[B]\-K\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: The password for ++key, optional. ++Follows the password formatting of the \[lq]password for parent key\[rq] ++option: \-P. ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\[en]halg\f[]=\f[I]ALGORITHM\f[]: The hash algorithm ++to use. ++Algorithms should follow the " formatting standards, see section ++\[lq]Algorithm Specifiers\[rq]. ++Also, see section \[lq]Supported Hash Algorithms\[rq] for a list of ++supported hash algorithms. ++.IP \[bu] 2 ++\f[B]\-G\f[], \f[B]\[en]kalg\f[]=\f[I]KEY_ALGORITHM\f[]: The algorithm ++associated with this object. ++It accepts friendly names just like \-g option. ++See section \[lq]Supported Public Object Algorithms\[rq] for a list of ++supported object algorithms. ++.IP \[bu] 2 ++\f[B]\-A\f[], \f[B]\[en]object\-attributes\f[]=\f[I]ATTRIBUTES\f[]: The ++object attributes, optional. ++Object attribytes follow the specifications as outlined in \[lq]object ++attribute specifiers\[rq]. ++The default for created objects is: ++.RS 2 ++.PP ++\f[C]TPMA_OBJECT_SIGN|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-I\f[], \f[B]\[en]in\-file\f[]=\f[I]FILE\f[]: The data file to be ++sealed, optional. ++If file is \-, read from stdin. ++When sealing data only the TPM_ALG_KEYEDHASH algorithm is allowed. ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\[en]policy\-file\f[]=\f[I]POLICY_FILE\f[]: The input ++policy file, optional. ++.IP \[bu] 2 ++\f[B]\-u\f[], \f[B]\[en]pubfile\f[]=\f[I]OUTPUT_PUBLIC_FILE\f[]: The ++output file which contains the public portion of the created object, ++optional. ++.IP \[bu] 2 ++\f[B]\-r\f[], \f[B]\[en]privfile\f[]=\f[I]OUTPUT_PRIVATE_FILE\f[]: The ++output file which contains the sensitive portion of the object, ++optional. ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Supported Public Object Algorithms ++.PP ++Supported public object algorithms are: ++.IP \[bu] 2 ++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] ++(\f[B]default\f[]). ++.IP \[bu] 2 ++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. ++.IP \[bu] 2 ++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. ++.IP \[bu] 2 ++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support \[lq]nice\-names\[rq]. ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH Object Attributes ++.PP ++Object Attributes are used to control various properties of created ++objects. ++When specified as an option, either the raw bitfield mask or ++\[lq]nice\-names\[rq] may be used. ++The values can be found in Table 31 Part 2 of the TPM2.0 specification, ++which can be found here: ++.PP ++ ++.PP ++Nice names are calculated by taking the name field of table 31 and ++removing the prefix \f[B]TPMA_OBJECT_\f[] and lowercasing the result. ++Thus, \f[B]TPMA_OBJECT_FIXEDTPM\f[] becomes fixedtpm. ++Nice names can be joined using the bitwise or \[lq]|\[rq] symbol. ++.PP ++For instance, to set The fields \f[B]TPMA_OBJECT_FIXEDTPM\f[], ++\f[B]TPMA_OBJECT_NODA\f[], and \f[B]TPMA_OBJECT_SIGN\f[], the argument ++would be: ++.PP ++\f[B]fixedtpm|noda|sign\f[] ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_create\ \-H\ 0x81010001\ \-P\ abc123\ \-K\ def456\ \-g\ sha256\ \-G\ keyedhash\-I\ data.File ++tpm2_create\ \-c\ parent.context\ \-P\ abc123\ \-K\ def456\ \-g\ sha256\ \-G\ keyedhash\ \-I\ data.File ++tpm2_create\ \-H\ 0x81010001\ \-P\ 123abc\ \-K\ 456def\ \-X\ \-g\ sha256\ \-G\ keyedhash\ \-I\ data.File ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_createpolicy.1 tpm2-tools-3.0.4-new/man/man1/tpm2_createpolicy.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_createpolicy.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_createpolicy.1 2018-09-10 07:57:12.945595449 -0700 +@@ -0,0 +1,185 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_createpolicy" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_createpolicy\f[](1) \- Creates simple assertion authorization ++policies based on multiple pcr indices values across multiple enabled ++banks. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_createpolicy\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_createpolicy\f[](1) \- Creates simple assertion authorization ++policies based on multiple pcr indices values across multiple enabled ++banks. ++It can then be used with object creation and or tools using the object. ++.SH OPTIONS ++.PP ++These options control creating the policy authorization session: ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\[en]policy\-file\f[]=\f[I]POLICY_FILE\f[]: File to ++save the policy digest. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]policy\-pcr\f[]: Identifies the PCR policy type ++for policy creation. ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\[en]policy\-digest\-alg\f[]=\f[I]HASH_ALGORITHM\f[]: ++The hash algorithm used in computation of the policy digest. ++Algorithms should follow the \[lq]formatting standards, see ++section\[rq]Algorithm Specifiers\[lq]. Also, see section\[rq]Supported ++Hash Algorithms" for a list of supported hash algorithms. ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\[en]set\-list\f[]=\f[I]PCR_LIST\f[]: The list of pcr ++banks and selected PCRs' ids (0~23) for each bank. ++.IP \[bu] 2 ++\f[B]\-F\f[], \f[B]\[en]pcr\-input\-file\f[]=\f[I]PCR_FILE\f[]: Optional ++Path or Name of the file containing expected pcr values for the ++specified index. ++Default is to read the current PCRs per the set list. ++.IP \[bu] 2 ++\f[B]\-e\f[], \f[B]\[en]extend\-policy\-session\f[]: Retains the policy ++session at the end of operation. ++.IP \[bu] 2 ++\f[B]\-a\f[], \f[B]\[en]auth\-policy\-session\f[]: Start a policy ++session of type \f[B]TPM_SE_POLICY\f[]. ++Default without this option is \f[B]TPM_SE_TRIAL\f[]. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support \[lq]nice\-names\[rq]. ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.PP ++Create a authorization policy tied to a specific PCR index: ++.PP ++\f[B]tpm2_createpolicy \-P \-L 0x4:0 \-f policy.file \-F pcr0.bin\f[] ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_createprimary.1 tpm2-tools-3.0.4-new/man/man1/tpm2_createprimary.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_createprimary.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_createprimary.1 2018-09-10 07:57:13.139592798 -0700 +@@ -0,0 +1,274 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_createprimary" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_createprimary\f[](1) \- Create a primary key under a primary ++seed or a temporary primary key under the \f[B]TPM_RH_NULL\f[] ++hierarchy. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_createprimary\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_createprimary\f[](1) \- This command is used to create a ++Primary Object under one of the Primary Seeds or a Temporary Object ++under \f[B]TPM_RH_NULL\f[]. ++The command uses a \f[B]TPM2B_PUBLIC\f[] as a template for the object to ++be created. ++The command will create and load a Primary Object. ++The sensitive area is not returned. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\[en]hierarchy\f[]=\f[I]HIERARCHY\f[]: Specify the ++hierarchy under which the object is created. ++This will also dictate which authorization secret (if any) must be ++supplied. ++Supported options are: ++.RS 2 ++.IP \[bu] 2 ++\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.IP \[bu] 2 ++\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[] ++.IP \[bu] 2 ++\f[B]n\f[] for \f[B]TPM_RH_NULL\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: Optional ++authorization string if authorization is required to create object under ++the specified hierarchy. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.IP \[bu] 2 ++\f[B]\-K\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: Optional ++authorization string for the newly created object. ++Follows the same password formating guidelines as the parent ++authorization string under the \-P option. ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\[en]halg\f[]=\f[I]ALGORITHM\f[]: The hash algorithm ++to use. ++Algorithms should follow the " formatting standards, see section ++\[lq]Algorithm Specifiers\[rq]. ++Also, see section \[lq]Supported Hash Algorithms\[rq] for a list of ++supported hash algorithms. ++.IP \[bu] 2 ++\f[B]\-G\f[], \f[B]\[en]kalg\f[]=\f[I]KEY_ALGORITHM\f[]: Algorithm type ++for generated key. ++It supports friendly names like the \-g option. ++See section \[lq]Supported Public Object Algorithms\[rq] for a list of ++supported object algorithms. ++.IP \[bu] 2 ++\f[B]\-C\f[], \f[B]\[en]context\f[]=\f[I]CONTEXT_FILE\f[]: An optional ++file used to store the object context returned. ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\[en]policy\-file\f[]=\f[I]POLICY_FILE\f[]: An ++optional file input that contains the policy digest for policy based ++authorization of the object. ++.IP \[bu] 2 ++\f[B]\-A\f[], \f[B]\[en]object\-attributes\f[]=\f[I]ATTRIBUTES\f[]: The ++object attributes, optional. ++Object attribytes follow the specifications as outlined in \[lq]object ++attribute specifiers\[rq]. ++The default for created objects is: ++.RS 2 ++.PP ++\f[C]TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Supported Public Object Algorithms ++.PP ++Supported public object algorithms are: ++.IP \[bu] 2 ++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] ++(\f[B]default\f[]). ++.IP \[bu] 2 ++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. ++.IP \[bu] 2 ++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. ++.IP \[bu] 2 ++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support \[lq]nice\-names\[rq]. ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH Object Attributes ++.PP ++Object Attributes are used to control various properties of created ++objects. ++When specified as an option, either the raw bitfield mask or ++\[lq]nice\-names\[rq] may be used. ++The values can be found in Table 31 Part 2 of the TPM2.0 specification, ++which can be found here: ++.PP ++ ++.PP ++Nice names are calculated by taking the name field of table 31 and ++removing the prefix \f[B]TPMA_OBJECT_\f[] and lowercasing the result. ++Thus, \f[B]TPMA_OBJECT_FIXEDTPM\f[] becomes fixedtpm. ++Nice names can be joined using the bitwise or \[lq]|\[rq] symbol. ++.PP ++For instance, to set The fields \f[B]TPMA_OBJECT_FIXEDTPM\f[], ++\f[B]TPMA_OBJECT_NODA\f[], and \f[B]TPMA_OBJECT_SIGN\f[], the argument ++would be: ++.PP ++\f[B]fixedtpm|noda|sign\f[] ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_createprimary\ \-H\ o\ \-g\ sha256\ \-G\ ecc\ \-C\ context.out ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_dictionarylockout.1 tpm2-tools-3.0.4-new/man/man1/tpm2_dictionarylockout.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_dictionarylockout.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_dictionarylockout.1 2018-09-10 07:57:13.320590324 -0700 +@@ -0,0 +1,155 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_dictionarylockout" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_dictionarylockout\f[](1) \- setup or clear ++dictionary\-attack\-lockout parameters. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_dictionarylockout\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_dictionarylockout\f[](1) \- setup dictionary\-attack\-lockout ++parameters or clear dictionary\-attack\-lockout state, if any passwd ++option is missing, assume NULL. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\[en]setup\-parameters\f[]=\f[I]SETUP_PARAMETERS\f[]: ++specifies the tool should operate to setup dictionary\-attack\-lockout ++parameters. ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]clear\-lockout\f[]: specifies the tool should ++operate to clear dictionary\-attack\-lockout state. ++.IP \[bu] 2 ++\f[B]\-l\f[], \f[B]\-lockout\-recovery\-time\f[]=\f[I]LOCKOUT_TIME\f[]: ++specifies the wait time in seconds before another TPM_RH_LOCKOUT ++authentication attempt can be made after a failed authentication. ++.IP \[bu] 2 ++\f[B]\-t\f[], \f[B]\[en]recovery\-time\f[]=\f[I]RECOVERY_TIME\f[]: ++specifies the wait time in seconds before another DA\-protected\-object ++authentication attempt can be made after max\-tries number of failed ++authentications. ++.IP \[bu] 2 ++\f[B]\-n\f[], \f[B]\[en]max\-tries\f[]=\f[I]MAX_TRYS\f[]: specifies the ++maximum number of allowed authentication attempts on ++DA\-protected\-object; after which DA is activated. ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_dictionarylockout\ \-c\ \-p\ passwd ++tpm2_dictionarylockout\ \-s\ \-n\ 5\ \-t\ 6\ \-l\ 7\ \-p\ passwd ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_encryptdecrypt.1 tpm2-tools-3.0.4-new/man/man1/tpm2_encryptdecrypt.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_encryptdecrypt.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_encryptdecrypt.1 2018-09-10 07:57:13.685585336 -0700 +@@ -0,0 +1,170 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_encryptdecrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_encryptdecrypt\f[](1) \- performs symmetric encryption or ++decryption. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_encryptdecrypt\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++tpm2_encryptdecrypt(1) \- performs symmetric encryption or decryption ++with a specified symmetric key. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_HANDLE\f[]: the ++symmetric key used for the operation (encryption/decryption). ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: ++filename of the key context used for the operation. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: filename of the ++key context used for the operation. ++The password for parent key, optional. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.IP \[bu] 2 ++\f[B]\-D\f[], \f[B]\[en]decrypt\f[]: Perform a decrypt operation. ++Default is encryption. ++.IP \[bu] 2 ++\f[B]\-I\f[], \f[B]\[en]in\-file\f[]=\f[I]INPUT_FILE\f[]: Input file ++path containing data for decrypt or encrypt operation. ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_encryptdecrypt\ \-k\ 0x81010001\ \-P\ abc123\ \-D\ NO\ \-I\ \ \-o\ ++tpm2_encryptdecrypt\ \-c\ key.context\ \-P\ abc123\ \-D\ NO\ \-I\ \ \-o\ ++tpm2_encryptdecrypt\ \-k\ 0x81010001\ \-P\ 123abca\ \-X\ \-D\ NO\ \-I\ \ \-o\ ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_evictcontrol.1 tpm2-tools-3.0.4-new/man/man1/tpm2_evictcontrol.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_evictcontrol.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_evictcontrol.1 2018-09-10 07:57:13.874582753 -0700 +@@ -0,0 +1,181 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_evictcontrol" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_evictcontrol\f[](1) \- Make a transient object persistent or ++evict a persistent object. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_evictcontrol\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_evictcontrol\f[](1) \- allows a transient object to be made ++persistent or a persistent object to be evicted. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-A\f[], \f[B]\[en]auth\f[]=\f[I]AUTH\f[]: The authorization used ++to authorize the commands. ++Valid choices are: ++.RS 2 ++.IP \[bu] 2 ++\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\[en]handle\f[]=\f[I]HANDLE\f[]: The handle of a ++loaded transient or a persistent object. ++.RS 2 ++.PP ++If the handle is for a transient object, then a handle that will be ++assigned to the persisted object must also be specified with the ++\f[B]\-S\f[] option. ++.PP ++If the handle is for a persistent object, then the \f[B]\-S\f[] does not ++need to be provided since the handle must be the same for both options. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]context\f[]=\f[I]OBJECT_CONTEXT_FILE\f[]: ++Filename for object context. ++.IP \[bu] 2 ++\f[B]\-S\f[], \f[B]\[en]persistent\f[]=\f[I]PERSISTENT_HANDLE\f[]: The ++persistent handle for the object handle specified via \f[I]HANDLE\f[]. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]pwda\f[]=\f[I]AUTH_PASSWORD\f[]: authorization ++password, optional. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_evictcontrol\ \-A\ o\ \-c\ object.context\ \-S\ 0x81010002\ \-P\ abc123 ++tpm2_evictcontrol\ \-A\ o\ \-H\ 0x81010002\ \-S\ 0x81010002\ \-P\ abc123 ++tpm2_evictcontrol\ \-A\ o\ \-H\ 0x81010002\ \-S\ 0x81010002\ \-P\ 123abc ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_getcap.1 tpm2-tools-3.0.4-new/man/man1/tpm2_getcap.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_getcap.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_getcap.1 2018-09-10 07:57:13.499587878 -0700 +@@ -0,0 +1,161 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_getcap" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_getcap\f[](1) \- Display TPM capabilities in a human readable ++form. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_getcap\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_getcap\f[](1) \- Query the TPM for it's capabilities / ++properties and dump them to the console. ++This is a thin wrapper around the GetCapability command. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]capability\f[]=\f[I]CAPABILITY_NAME\f[]: The ++name of the capability group to query. ++Currently supported capability groups are: ++.RS 2 ++.IP \[bu] 2 ++properties\-fixed: Display fixed TPM properties. ++.IP \[bu] 2 ++properties\-variable: Display variable TPM properties. ++.IP \[bu] 2 ++algorithms: Display data about supported algorithms. ++.IP \[bu] 2 ++commands: Display data about supported commands. ++.IP \[bu] 2 ++ecc\-curves: Display data about elliptic curves. ++.IP \[bu] 2 ++handles\-transient: Display handles about transient objects. ++.IP \[bu] 2 ++handles\-persistent: Display handles about persistent objects. ++.IP \[bu] 2 ++handles\-permanent: Display handles about permanent objects. ++.IP \[bu] 2 ++handles\-pcr: Display handles about PCRs. ++.IP \[bu] 2 ++handles\-nv\-index: Display handles about NV Indices. ++.IP \[bu] 2 ++handles\-loaded\-session: Display handles about both loaded HMAC and ++policy sessions. ++.IP \[bu] 2 ++handles\-saved\-session: Display handles about saved sessions. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_getcap\ \-\-capability="properties\-fixed" ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_getmanufec.1 tpm2-tools-3.0.4-new/man/man1/tpm2_getmanufec.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_getmanufec.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_getmanufec.1 2018-09-10 07:57:14.067580116 -0700 +@@ -0,0 +1,226 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_getmanufec" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_getmanufec\f[](1) \- Retrieve the Endorsement Credential ++Certificate for the TPM endorsement key from the TPM manufacturer's ++endorsement certificate hosting server. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_getmanufec\f[] [\f[I]OPTIONS\f[]] [\f[I]URL\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_getmanufec\f[](1) \- Retrieve the Endorsement Credential ++Certificate for the TPM endorsement key from the TPM manufacturer's ++endorsement certificate hosting server. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-e\f[], \f[B]\[en]endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]: ++specifies current endorse password (string, optional,default:NULL). ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[]: ++specifies current owner password (string, optional,default:NULL). ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]ek\-passwd\f[]=\f[I]EK_PASSWORD\f[]: specifies ++the EK password when created (string,optional,default:NULL). ++.RS 2 ++.PP ++Passwords should follow the password formatting standards, see section ++\[lq]Password Formatting\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\[en]handle\f[]=\f[I]HANDLE\f[]: specifies the handle ++used to make EK persistent (hex). ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\[en]alg\f[]=\f[I]ALGORITHM\f[]: specifies the ++algorithm type of EK. ++See section \[lq]Supported Public Object Algorithms\[rq] for a list of ++supported object algorithms. ++See section \[lq]Algorithm Specifiers\[rq] on how to specify an ++algorithm argument. ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\[en]output\f[]=\f[I]FILE\f[]: Specifies the file ++used to save the public portion of EK. ++.IP \[bu] 2 ++\f[B]\-N\f[], \f[B]\[en]non\-persistent\f[]: specifies to readout the EK ++public without making it persistent. ++.IP \[bu] 2 ++\f[B]\-O\f[], \f[B]\[en]offline\f[]=\f[I]FILE\f[]: Specifies the file ++that contains an EK retrieved from offline platform that needs to be ++provisioned. ++.IP \[bu] 2 ++\f[B]\-E\f[], \f[B]\[en]ec\-cert\f[]=\f[I]EC_CERT_FILE\f[]: Specifies ++the file used to save the Endorsement Credentials retrieved from the TPM ++manufacturer provisioning server. ++Defaults to stdout if not specified. ++.IP \[bu] 2 ++\f[B]\-U\f[], \f[B]\[en]SSL_NO_VERIFY\f[]: specifies to attempt ++connecting with the TPM manufacturer provisioning server with ++SSL_NO_VERIFY option. ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Supported Public Object Algorithms ++.PP ++Supported public object algorithms are: ++.IP \[bu] 2 ++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] ++(\f[B]default\f[]). ++.IP \[bu] 2 ++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. ++.IP \[bu] 2 ++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. ++.IP \[bu] 2 ++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support \[lq]nice\-names\[rq]. ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH NOTES ++.PP ++When the verbose option is specified, additional curl debugging ++information is provided by setting the curl mode verbose, see: ++ for more ++information. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_getmanufec\ \-e\ abc123\ \-o\ abc123\ \-P\ passwd\ \-H\ 0x81010001\-g\ 0x01\ \-O\ \-N\ \-U\ \-E\ ECcert.bin\ \-f\ ek.bin\ https://tpm.manufacturer.com/ekcertserver/ ++tpm2_getmanufec\ \-e\ 1a1b1c\ \-o\ 1a1b1c\ \-P\ 123abc\ \-H\ 0x81010001\-g\ 0x01\ \-O\ \-N\ \-U\ \-E\ ECcert.bin\ \-f\ ek.bin\ https://tpm.manufacturer.com/ekcertserver/ ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_getpubak.1 tpm2-tools-3.0.4-new/man/man1/tpm2_getpubak.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_getpubak.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_getpubak.1 2018-09-10 07:57:14.258577505 -0700 +@@ -0,0 +1,242 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_getpubak" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_getpubak\f[](1) \- Generate attestation key with given ++algorithm under the endorsement hierarchy. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_getpubak\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_getpubak\f[](1) \- Generate attestation key with given ++algorithm under endorsement hierarchy, make it persistent with given ak ++handle, and return pub AK and AK name. ++If any passwd option is missing, assume NULL. ++.PP ++The tool outputs to stdout a YAML representation of the loaded key ++handle as well as it's name, for example: ++.IP ++.nf ++\f[C] ++loaded\-key: ++\ \ handle:\ 800000ff ++\ \ name:\ 000bac149518baa05540a0678bd9b624f8a98d042e46c60f4d098ba394d36fc49268 ++\f[] ++.fi ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-e\f[], \f[B]\[en]endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]: ++Specifies current endorsement password, defaults to NULL. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]ak\-passwd\f[]=\f[I]AK_PASSWORD\f[] Specifies ++the AK password when created, defaults to NULL. ++Same formatting as the endorse password value or \-e option. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[] ++Specifies the current owner password, defaults to NULL. ++Same formatting as the endorse password value or \-e option. ++.IP \[bu] 2 ++\f[B]\-E\f[], \f[B]\[en]ek\-handle\f[]=\f[I]EK_HANDLE\f[]: Specifies the ++handle used to make EK persistent. ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\[en]ak\-handle\f[]=\f[I]AK_HANDLE\f[]: Specifies the ++handle used to make AK persistent. ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\[en]alg\f[]=\f[I]ALGORITHM\f[]: Specifies the ++algorithm type of AK. ++Algorithms should follow the " formatting standards, see section ++\[lq]Algorithm Specifiers\[rq]. ++See section \[lq]Supported Public Object Algorithms\[rq] for a list of ++supported object algorithms. ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\[en]alg\f[]=\f[I]ALGORITHM\f[]: Like \-g, but ++specifies the algorithm of sign. ++See section \[lq]Supported Signing Algorithms\[rq] for details. ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\[en]file\f[]=\f[I]FILE\f[]: Specifies the file used ++to save the public portion of AK. ++This will be a binary data structure corresponding to the TPM2B_PUBLIC ++struct in the specification. ++.IP \[bu] 2 ++\f[B]\-n\f[], \f[B]\[en]ak\-name\f[]=\f[I]NAME\f[]: Specifies the file ++used to save the ak name, optional. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Supported Signing Algorithms ++.PP ++Supported algorithms are: ++.IP \[bu] 2 ++\f[B]0x5\f[] or \f[B]hmac\f[] for \f[B]TPM_ALG_HMAC\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0x14\f[] or \f[B]rsassa\f[] for \f[B]TPM_ALG_RSASSA\f[] ++.IP \[bu] 2 ++\f[B]0x16\f[] or \f[B]rsapss\f[] for \f[B]TPM_ALG_RSAPSS\f[] ++.IP \[bu] 2 ++\f[B]0x18\f[] or \f[B]ecdsa\f[] for \f[B]TPM_ALG_ECDSA\f[] ++.IP \[bu] 2 ++\f[B]0x1A\f[] or \f[B]ecdaa\f[] for \f[B]TPM_ALG_ECDAA\f[] ++.IP \[bu] 2 ++\f[B]0x1B\f[] or \f[B]sm2\f[] for \f[B]TPM_ALG_SM2\f[] ++.IP \[bu] 2 ++\f[B]0x1C\f[] or \f[B]ecschnorr\f[] for \f[B]TPM_ALG_ECSCHNORR\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Supported Public Object Algorithms ++.PP ++Supported public object algorithms are: ++.IP \[bu] 2 ++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] ++(\f[B]default\f[]). ++.IP \[bu] 2 ++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. ++.IP \[bu] 2 ++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. ++.IP \[bu] 2 ++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support \[lq]nice\-names\[rq]. ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_getpubak\ \-e\ abc123\ \-P\ abc123\ \-o\ passwd\ \-E\ 0x81010001\ \-k\ 0x81010002\ \-f\ ./ak.pub\ \-n\ ./ak.name ++tpm2_getpubak\ \-e\ 1a1b1c\ \-P\ 123abc\ \-o\ 1a1b1c\ \-X\ \-E\ 0x81010001\ \-k\ 0x81010002\ \-f\ ./ak.pub\ \-n\ ./ak.name ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_getpubek.1 tpm2-tools-3.0.4-new/man/man1/tpm2_getpubek.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_getpubek.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_getpubek.1 2018-09-10 07:57:14.443574977 -0700 +@@ -0,0 +1,189 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_getpubek" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_getpubek\f[](1) \- Generate TCG profile compliant endorsement ++key. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_getpubek\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_getpubek\f[](1) \- Generate TCG profile compliant endorsement ++key(endorsement hierarchy primary object), make it persistent with give ++ek handle, and return public EK, if any passwd option is missing, assume ++NULL. ++.PP ++Refer to: ++ ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-e\f[], \f[B]\[en]endorse\-passwd\f[]=\f[I]ENDORSE_PASSWORD\f[]: ++Specifies current endorsement password, defaults to NULL. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]owner\-passwd\f[]=\f[I]OWNER_PASSWORD\f[] ++Specifies the current owner password, defaults to NULL. ++Same formatting as the endorse password value or \-e option. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]eKPasswd\f[]=\f[I]EK_PASSWORD\f[] Specifies the ++EK password when created, defaults to NULL. ++Same formatting as the endorse password value or \-e option. ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\[en]handle\f[]=\f[I]HANDLE\f[]: specifies the handle ++used to make EK persistent (hex). ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\[en]alg\f[]=\f[I]ALGORITHM\f[]: specifies the ++algorithm type of EK. ++See section \[lq]Supported Public Object Algorithms\[rq] for a list of ++supported object algorithms. ++See section \[lq]Algorithm Specifiers\[rq] on how to specify an ++algorithm argument. ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\[en]file\f[]=\f[I]FILE\f[]: specifies the file used ++to save the public portion of EK. ++This will be a binary data structure corresponding to the TPM2B_PUBLIC ++struct in the specification. ++.IP \[bu] 2 ++\f[B]\-S\f[], \f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION\f[]: ++Optional Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Supported Public Object Algorithms ++.PP ++Supported public object algorithms are: ++.IP \[bu] 2 ++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] ++(\f[B]default\f[]). ++.IP \[bu] 2 ++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. ++.IP \[bu] 2 ++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. ++.IP \[bu] 2 ++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support \[lq]nice\-names\[rq]. ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_getpubek\ \-e\ abc123\ \-o\ abc123\ \-P\ passwd\ \-H\ 0x81010001\ \-g\ rsa\ \-f\ ek.pub ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_getrandom.1 tpm2-tools-3.0.4-new/man/man1/tpm2_getrandom.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_getrandom.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_getrandom.1 2018-09-10 07:57:14.625572490 -0700 +@@ -0,0 +1,144 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_getrandom" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_getrandom\f[](1) \- Retrieves random bytes from the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_getrandom\f[] [\f[I]OPTIONS\f[]] \f[I]SIZE\f[] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_getrandom\f[](1) \- Returns the next \f[I]SIZE\f[] octets from ++the random number generator. ++The \f[I]SIZE\f[] parameter is expected as the only argument to the ++tool. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]output\f[]=\f[I]FILE\f[] specifies the filename ++to output the raw bytes to. ++Defaults to stdout as a hex string. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.PP ++Generate a random 20 bytes and output the binary data to a file: ++.IP ++.nf ++\f[C] ++tpm2_getrandom\ \-o\ random.out\ 20 ++\f[] ++.fi ++.PP ++Generate a random 8 bytes and output the hex formated data to stdout: ++.IP ++.nf ++\f[C] ++tpm2_getrandom\ 8 ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_hash.1 tpm2-tools-3.0.4-new/man/man1/tpm2_hash.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_hash.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_hash.1 2018-09-10 07:57:14.800570098 -0700 +@@ -0,0 +1,189 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_hash" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_hash\f[](1) \- Performs a hash operation with the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_hash\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_hash\f[](1) \- performs a hash operation on \f[I]FILE\f[] and ++returns the results. ++If \f[I]FILE\f[] is not specified, then data is read from stdin. ++If the results of the hash will be used in a signing operation that uses ++a restricted signing key, then the ticket returned by this command can ++indicate that the hash is safe to sign. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\[en]hierarchy\f[]=\f[I]HIERARCHY\f[]: hierarchy to ++use for the ticket. ++Supported options are: ++.RS 2 ++.IP \[bu] 2 ++\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.IP \[bu] 2 ++\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[] ++.IP \[bu] 2 ++\f[B]n\f[] for \f[B]TPM_RH_NULL\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\[en]halg\f[]=\f[I]HASH_ALGORITHM\f[]: The hash ++algorithm to use. ++Algorithms should follow the \[lq]formatting standards, see ++section\[rq]Algorithm Specifiers\[lq]. Also, see section\[rq]Supported ++Hash Algorithms" for a list of supported hash algorithms. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]outfile\f[]=\f[I]OUT_FILE\f[] Optional file ++record of the hash result. ++Defaults to stdout in hex form. ++.IP \[bu] 2 ++\f[B]\-t\f[], \f[B]\[en]ticket\f[]=\f[I]TICKET_FILE\f[] Optional file ++record of the ticket result. ++Defaults to stdout in hex form. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support \[lq]nice\-names\[rq]. ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.PP ++Hash a file with sha1 hash algorithm and save the hash and ticket to a ++file: ++.IP ++.nf ++\f[C] ++tpm2_hash\ \-H\ e\ \-g\ sha1\ \-o\ hash.bin\ \-t\ ticket.bin\ data.txt ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_hmac.1 tpm2-tools-3.0.4-new/man/man1/tpm2_hmac.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_hmac.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_hmac.1 2018-09-10 07:57:14.979567652 -0700 +@@ -0,0 +1,214 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_hmac" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_hmac\f[](1) \- Performs an HMAC operation with the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_hmac\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_hmac\f[](1) \- performs an HMAC operation on \f[I]FILE\f[] and ++returns the results. ++If \f[I]FILE\f[] is not specified, then data is read from stdin. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_CONTEXT_FILE\f[]: The ++key handle for the symmetric signing key providing the HMAC key. ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: The ++filename of the key context used for the operation. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: The password for ++key, optional. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\[en]halg\f[]=\f[I]HASH_ALGORITHM\f[]: The hash ++algorithm to use. ++Algorithms should follow the \[lq]formatting standards, see ++section\[rq]Algorithm Specifiers\[lq]. Also, see section\[rq]Supported ++Hash Algorithms" for a list of supported hash algorithms. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]outfile\f[]=\f[I]OUT_FILE\f[] Optional file ++record of the HMAC result. ++Defaults to stdout. ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support \[lq]nice\-names\[rq]. ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.PP ++Perform a SHA1 HMAC on data.in and send output and possibly ticket to ++stdout: ++.IP ++.nf ++\f[C] ++tpm2_hmac\ \-k\ 0x81010002\ \-P\ abc123\ \-g\ sha1\ data.in ++\f[] ++.fi ++.PP ++Perform a SHA1 HMAC on data.in read as a file to stdin and send output ++to a file: ++.IP ++.nf ++\f[C] ++tpm2_hmac\ \-c\ key.context\ \-P\ abc123\ \-g\ sha1\ \-o\ hash.out\ <<\ data.in ++\f[] ++.fi ++.PP ++Perform a SHA256 HMAC on \f[I]stdin\f[] and send result and possibly ++ticket to stdout: ++.PP ++cat data.in | tpm2_hmac \-k 0x81010002 \-g sha256 \-o hash.out ``` ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_listpersistent.1 tpm2-tools-3.0.4-new/man/man1/tpm2_listpersistent.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_listpersistent.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_listpersistent.1 2018-09-10 07:57:15.157565219 -0700 +@@ -0,0 +1,185 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_listpersistent" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_listpersistent\f[](1) \- Display all defined persistent ++objects. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_listpersistent\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_listpersistent\f[](1) \- display all defined persistent ++objects. ++.SH OPTIONS ++.PP ++These options for listing the persistent objects: ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\[en]halg\f[]=\f[I]ALGORITHM\f[]: Only display ++persistent objects using this hash algorithm. ++Algorithms should follow the " formatting standards, see section ++\[lq]Algorithm Specifiers\[rq]. ++Also, see section \[lq]Supported Hash Algorithms\[rq] for a list of ++supported hash algorithms. ++.IP \[bu] 2 ++\f[B]\-G\f[], \f[B]\[en]kalg\f[]=\f[I]KEY_ALGORITHM\f[]: Only display ++persistent objects using this key algorithm. ++It accepts friendly names just like \f[B]\-g\f[] option. ++See section \[lq]Supported Public Object Algorithms\[rq] for a list of ++supported object algorithms. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Supported Public Object Algorithms ++.PP ++Supported public object algorithms are: ++.IP \[bu] 2 ++\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[] ++(\f[B]default\f[]). ++.IP \[bu] 2 ++\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[]. ++.IP \[bu] 2 ++\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[]. ++.IP \[bu] 2 ++\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[]. ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support \[lq]nice\-names\[rq]. ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_listpersistent ++tpm2_listpersistent\ \-g\ sha256\ \-G\ ecc ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_load.1 tpm2-tools-3.0.4-new/man/man1/tpm2_load.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_load.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_load.1 2018-09-10 07:57:15.346562636 -0700 +@@ -0,0 +1,176 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_load" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_load\f[](1) \- Load an object into the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_load\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_load\f[](1) \- Load both the private and public portions of an ++object into the TPM. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\[en]parent\f[]=\f[I]PARENT_HANDLE\f[]: The handle of ++the parent object. ++Either this option or \f[B]\-c\f[] must be used. ++.IP \[bu] 2 ++\f[B]\-c\f[], ++\f[B]\[en]context\-parent\f[]=\f[I]PARENT_CONTEXT_FILE\f[]: The filename ++for parent context. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]pwdp\f[]=\f[I]PARENT_KEY_PASSWORD\f[]: The ++password for parent key, optional. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.IP \[bu] 2 ++\f[B]\-u\f[], \f[B]\[en]pubfile\f[]=\f[I]PUBLIC_OBJECT_DATA_FILE\f[]: A ++file containing the public portion of the object. ++.IP \[bu] 2 ++\f[B]\-r\f[], \f[B]\[en]privfile\f[]=\f[I]PRIVATE_OBJECT_DATA_FILE\f[]: ++A file containing the sensitive portion of the object. ++.IP \[bu] 2 ++\f[B]\-n\f[], \f[B]\[en]name\f[]=\f[I]NAME_DATA_FILE\f[]: An optional ++file to save the name structure of the object. ++.IP \[bu] 2 ++\f[B]\-C\f[], \f[B]\[en]context\f[]=\f[I]CONTEXT_FILE\f[]: An optional ++file to save the object context to. ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_load\ \ \-H\ 0x80000000\ \-P\ abc123\ \-u\ \ \-r\ \ \-n\ ++tpm2_load\ \ \-c\ parent.context\ \-P\ abc123\ \-u\ \ \-r\ \ \-n\ \ \-C\ object.context ++tpm2_load\ \ \-H\ 0x80000000\ \-P\ "hex:123abc"\ \-u\ \ \-r\ \ \-n\ ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_loadexternal.1 tpm2-tools-3.0.4-new/man/man1/tpm2_loadexternal.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_loadexternal.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_loadexternal.1 2018-09-10 07:57:15.520560258 -0700 +@@ -0,0 +1,166 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_loadexternal" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_loadexternal\f[](1) \- load an object that is not a Protected ++Object into the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_loadexternal\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_loadexternal\f[](1) \- load an object that is not a Protected ++Object into the TPM. ++The command allows loading of a public area or both a public and a ++sensitive area. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\[en]hierarchy\f[]=\f[I]HIERARCHY\f[]: hierarchy to ++use for the ticket. ++Supported options are: ++.RS 2 ++.IP \[bu] 2 ++\f[B]o\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]p\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.IP \[bu] 2 ++\f[B]e\f[] for \f[B]TPM_RH_ENDORSEMENT\f[] ++.IP \[bu] 2 ++\f[B]n\f[] for \f[B]TPM_RH_NULL\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-u\f[], \f[B]\[en]pubfile\f[]=\f[I]PUBLIC_FILE\f[]: The public ++portion of the object. ++.IP \[bu] 2 ++\f[B]\-r\f[], \f[B]\[en]privfile\f[]=\f[I]PRIVATE_FILE\f[]: The ++sensitive portion of the object, optional. ++.IP \[bu] 2 ++\f[B]\-C\f[], \f[B]\[en]context\f[]=\f[I]CONTEXT_FILE\f[] The file to ++save the object context, optional. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.PP ++Load a public area generated by tpm2_create, tpm2_readpublic or manually ++.IP ++.nf ++\f[C] ++tpm2_loadexternal\ \-H\ \ \-u\ \ \-C\ object.context ++\f[] ++.fi ++.PP ++Load a key with sensitive area. ++Both the public & the senstive areas shall be generated externally. ++\f[I]DON'T\f[] use the areas generated by tpm2_create. ++.IP ++.nf ++\f[C] ++tpm2_loadexternal\ \-H\ n\ \-u\ \ \-r\ \ \-C\ object.context ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_makecredential.1 tpm2-tools-3.0.4-new/man/man1/tpm2_makecredential.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_makecredential.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_makecredential.1 2018-09-10 07:57:15.705557730 -0700 +@@ -0,0 +1,142 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_makecredential" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_makecredential\f[](1) \- load an object that is not a ++Protected Object into the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_makecredential\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_makecredential\f[](1) \- Use a TPM public key to protect a ++secret that is used to encrypt the AK certififcate. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-e\f[], \f[B]\[en]enckey\f[]=\f[I]PUBLIC_FILE\f[]: A tpm Public ++Key which was used to wrap the seed. ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\[en]sec\f[]=\f[I]SECRET_DATA_FILE\f[]: The secret ++which will be protected by the key derived from the random seed. ++.IP \[bu] 2 ++\f[B]\-n\f[], \f[B]\[en]name\f[]=\f[I]NAME\f[] The name of the key for ++which certificate is to be created. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]out\-file\f[]=\f[I]OUT_FILE\f[] The output file ++path, recording the two structures output by tpm2_makecredential ++function. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_makecredential\ \-e\ \ \-s\ \ \-n\ \ \-o\ ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_nvdefine.1 tpm2-tools-3.0.4-new/man/man1/tpm2_nvdefine.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_nvdefine.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_nvdefine.1 2018-09-10 07:57:15.879555352 -0700 +@@ -0,0 +1,204 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_nvdefine" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_nvdefine\f[](1) \- define a TPM Non\-Volatile (NV) index. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_nvdefine\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_nvdefine\f[](1) \- Define NV index with given auth value. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-x\f[], \f[B]\[en]index\f[]=\f[I]NV_INDEX\f[]: Specifies the index ++to define the space at. ++.IP \[bu] 2 ++\f[B]\-a\f[], \f[B]\[en]auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: ++specifies the handle used to authorize: ++.RS 2 ++.IP \[bu] 2 ++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\[en]size\f[]=\f[I]SIZE\f[]: specifies the size of ++data area in bytes. ++Defaults to MAX_NV_INDEX_SIZE which is typically 2048. ++.IP \[bu] 2 ++\f[B]\-t\f[], \f[B]\[en]attributes\f[]=\f[I]ATTRIBUTES\f[] Specifies the ++attribute values for the nv region used when creating the entitiy. ++Either the raw bitfield mask or \[lq]nice\-names\[rq] may be used. ++See section \[lq]NV Attributes\[rq] for more details. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: ++specifies the password of authHandle. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.IP \[bu] 2 ++\f[B]\-I\f[], \f[B]\[en]index\-passwd\f[]=\f[I]INDEX_PASSWORD\f[]: ++specifies the password of NV Index when created. ++Follows the same formatting guidelines as the handle password or \-P ++option. ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\[en]policy\-file\f[]=\f[I]POLICY_FILE\f[]: Specifies ++the policy digest file for policy based authorizations. ++.IP \[bu] 2 ++\f[B]\-S\f[], \f[B]\[en]input\-session\-handle\f[]=\f[I]SIZE\f[]: ++Optional Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH NV Attributes ++.PP ++NV Attributes are used to control various properties of the NV defined ++space. ++When specified as an option, either the raw bitfield mask or ++\[lq]nice\-names\[rq] may be used. ++The values can be found in Table 204 Part 2 of the TPM2.0 specification, ++which can be found here: ++.PP ++ ++.PP ++Nice names are calculated by taking the name field of table 204 and ++removing the prefix \f[B]TPMA_NV_\f[] and lowercasing the result. ++Thus, \f[B]TPMA_NV_PPWRITE\f[] becomes ppwrite. ++Nice names can be joined using the bitwise or \[lq]|\[rq] symbol. ++.PP ++Note that the \f[B]TPM_NT\f[] field is 4 bits wide, and thus can be set ++via \f[B]nt=\f[] format. ++For instance, to set The fields \f[B]TPMA_NV_OWNERREAD\f[], ++\f[B]TPMA_NV_OWNERWRITE\f[], \f[B]TPMA_NV_POLICYWRITE\f[], and ++\f[B]TPMA_NT = 0x3\f[], the argument would be: ++.PP ++\f[B]ownerread|ownerwrite|policywrite|nt=0x3\f[] # Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_nvdefine\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32\ \-t\ 0x2000A ++tpm2_nvdefine\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32\ \-t\ ownerread|ownerwrite|policywrite\ \-I\ 1a1b1c ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_nvlist.1 tpm2-tools-3.0.4-new/man/man1/tpm2_nvlist.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_nvlist.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_nvlist.1 2018-09-10 07:57:16.056552933 -0700 +@@ -0,0 +1,192 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_nvlist" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_nvlist\f[](1) \- display all defined Non\-Volatile (NV)s ++indices. ++.SS SYNOPSIS ++.PP ++\f[B]tpm2_nvlist\f[] [\f[I]OPTIONS\f[]] ++.SS DESCRIPTION ++.PP ++\f[B]tpm2_nvlist\f[](1) \- display all defined Non\-Volatile (NV)s ++indices to stdout in a YAML format. ++.PP ++Display metadata for all defined NV indices. ++Metadata includes: ++.IP \[bu] 2 ++The size of the defined region. ++.IP \[bu] 2 ++The hash algorithm used to compute the name of the index. ++.IP \[bu] 2 ++The auth policy. ++.IP \[bu] 2 ++The NV attributes as defined in section \[lq]NV Attributes\[rq]. ++.PP ++Example Output: ++.IP ++.nf ++\f[C] ++0x1500015: ++\ \ hash\ algorithm: ++\ \ \ \ friendly:\ sha256 ++\ \ \ \ value:\ 0xB ++\ \ attributes: ++\ \ \ \ friendly:\ ownerwrite|ownerread ++\ \ \ \ value:\ 0x2000200 ++\ \ size:\ 32 ++\ \ authorization\ policy: ++ ++0x1500017: ++\ \ hash\ algorithm: ++\ \ \ \ friendly:\ sha256 ++\ \ \ \ value:\ 0xB ++\ \ attributes: ++\ \ \ \ friendly:\ ownerwrite|ownerread ++\ \ \ \ value:\ 0x2000200 ++\ \ size:\ 32 ++\ \ authorization\ policy: ++\f[] ++.fi ++.SH OPTIONS ++.PP ++This tool takes no tool specific options. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH NV Attributes ++.PP ++NV Attributes are used to control various properties of the NV defined ++space. ++When specified as an option, either the raw bitfield mask or ++\[lq]nice\-names\[rq] may be used. ++The values can be found in Table 204 Part 2 of the TPM2.0 specification, ++which can be found here: ++.PP ++ ++.PP ++Nice names are calculated by taking the name field of table 204 and ++removing the prefix \f[B]TPMA_NV_\f[] and lowercasing the result. ++Thus, \f[B]TPMA_NV_PPWRITE\f[] becomes ppwrite. ++Nice names can be joined using the bitwise or \[lq]|\[rq] symbol. ++.PP ++Note that the \f[B]TPM_NT\f[] field is 4 bits wide, and thus can be set ++via \f[B]nt=\f[] format. ++For instance, to set The fields \f[B]TPMA_NV_OWNERREAD\f[], ++\f[B]TPMA_NV_OWNERWRITE\f[], \f[B]TPMA_NV_POLICYWRITE\f[], and ++\f[B]TPMA_NT = 0x3\f[], the argument would be: ++.PP ++\f[B]ownerread|ownerwrite|policywrite|nt=0x3\f[] # EXAMPLES ++.PP ++To list the defined NV indeces to stdout: ++.IP ++.nf ++\f[C] ++tpm2_nvlist ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_nvread.1 tpm2-tools-3.0.4-new/man/man1/tpm2_nvread.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_nvread.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_nvread.1 2018-09-10 07:57:16.235550487 -0700 +@@ -0,0 +1,194 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_nvread" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_nvread\f[](1) \- Read the data stored in a Non\-Volatile (NV)s ++index. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_nvread\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_nvread\f[](1) \- Read the data stored in a Non\-Volatile (NV)s ++index. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-x\f[], \f[B]\[en]index\f[]=\f[I]NV_INDEX\f[]: Specifies the index ++to define the space at. ++.IP \[bu] 2 ++\f[B]\-a\f[], \f[B]\[en]auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: ++specifies the handle used to authorize: ++.RS 2 ++.IP \[bu] 2 ++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\[en]output\f[]=\f[I]FILE\f[]: file to write data ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: ++specifies the password of authHandle. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\[en]size\f[]=\f[I]SIZE\f[]: Specifies the size of ++data to be read in bytes, starting from 0 if offset is not specified. ++If not specified, the size of the data as reported by the public portion ++of the index will be used. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]offset\f[]=\f[I]OFFSET\f[]: The offset within ++the NV index to start reading from. ++.IP \[bu] 2 ++\f[B]\-S\f[], \f[B]\[en]input\-session\-handle\f[]=\f[I]SIZE\f[]: ++Optional Input session handle from a policy session for authorization. ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\[en]set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]: ++.RS 2 ++.PP ++The list of pcr banks and selected PCRs' ids. ++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers ++standards, see section \[lq]PCR Bank Specfiers\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-F\f[],**\[en]pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[] ++.RS 2 ++.PP ++Optional Path or Name of the file containing expected pcr values for the ++specified index. ++Default is to read the current PCRs per the set list. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.PP ++To read 32 bytes from an index starting at offset 0: ++.IP ++.nf ++\f[C] ++tpm2_nvread\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-s\ 32 ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_nvreadlock.1 tpm2-tools-3.0.4-new/man/man1/tpm2_nvreadlock.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_nvreadlock.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_nvreadlock.1 2018-09-10 07:57:16.415548027 -0700 +@@ -0,0 +1,169 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_nvreadlock" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_nvreadlock\f[](1) \- lock the Non\-Volatile (NV) index for ++further reads. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_nvreadlock\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_nvreadlock\f[](1) \- lock the Non\-Volatile (NV) index for ++further reads. ++The index is released on subsequent restart of the machine. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-x\f[], \f[B]\[en]index\f[]=\f[I]NV_INDEX\f[]: Specifies the index ++to define the space at. ++.IP \[bu] 2 ++\f[B]\-a\f[], \f[B]\[en]auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: ++specifies the handle used to authorize: ++.RS 2 ++.IP \[bu] 2 ++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: ++specifies the password of authHandle. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.IP \[bu] 2 ++\f[B]\-S\f[], \f[B]\[en]input\-session\-handle\f[]=\f[I]SIZE\f[]: ++Optional Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.PP ++To lock an index protected by a password: ++.IP ++.nf ++\f[C] ++tpm2_nvreadlock\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-P\ passwd ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_nvrelease.1 tpm2-tools-3.0.4-new/man/man1/tpm2_nvrelease.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_nvrelease.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_nvrelease.1 2018-09-10 07:57:16.603545458 -0700 +@@ -0,0 +1,168 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_nvrelease" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_nvrelease\f[](1) \- Release a Non\-Volatile (NV) index. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_nvrelease\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_nvrelease\f[](1) \- Release a Non\-Volatile (NV) index that ++was previously defined with tpm2_nvdefine(1). ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-x\f[], \f[B]\[en]index\f[]=\f[I]NV_INDEX\f[]: Specifies the index ++to release. ++.IP \[bu] 2 ++\f[B]\-a\f[], \f[B]\[en]auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: ++specifies the handle used to authorize: ++.RS 2 ++.IP \[bu] 2 ++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\[en]size\f[]=\f[I]SIZE\f[]: specifies the size of ++data area in bytes. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: ++specifies the password of authHandle. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.IP \[bu] 2 ++\f[B]\-S\f[], \f[B]\[en]input\-session\-handle\f[]=\f[I]SIZE\f[]: ++Optional Input session handle from a policy session for authorization. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_nvrelease\ \-x\ 0x1500016\ \-a\ 0x40000001\ \-P\ passwd ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_nvwrite.1 tpm2-tools-3.0.4-new/man/man1/tpm2_nvwrite.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_nvwrite.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_nvwrite.1 2018-09-10 07:57:16.788542929 -0700 +@@ -0,0 +1,187 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_nvwrite" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_nvwrite\f[](1) \- Write data to a Non\-Volatile (NV) index. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_nvwrite\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_nvwrite\f[](1) \- Write data specified via \f[I]FILE\f[] to a ++Non\-Volatile (NV) index. ++If \f[I]FILE\f[] is not specified, it defaults to stdout. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-x\f[], \f[B]\[en]index\f[]=\f[I]NV_INDEX\f[]: Specifies the index ++to define the space at. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]offset\f[]=\f[I]OFFSET\f[]: The offset within ++the NV index to start writing at. ++.IP \[bu] 2 ++\f[B]\-a\f[], \f[B]\[en]auth\-handle\f[]=\f[I]SECRET_DATA_FILE\f[]: ++specifies the handle used to authorize: ++.RS 2 ++.IP \[bu] 2 ++\f[B]0x40000001\f[] for \f[B]TPM_RH_OWNER\f[] ++.IP \[bu] 2 ++\f[B]0x4000000C\f[] for \f[B]TPM_RH_PLATFORM\f[] ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]handle\-passwd\f[]=\f[I]HANDLE_PASSWORD\f[]: ++specifies the password of authHandle. ++Passwords should follow the \[lq]password formatting standards, see ++section\[rq]Password Formatting“. ++.IP \[bu] 2 ++\f[B]\-S\f[], \f[B]\[en]input\-session\-handle\f[]=\f[I]SIZE\f[]: ++Optional Input session handle from a policy session for authorization. ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\[en]set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]: ++.RS 2 ++.PP ++The list of pcr banks and selected PCRs' ids. ++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers ++standards, see section \[lq]PCR Bank Specfiers\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-F\f[],**\[en]pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[] ++.RS 2 ++.PP ++Optional Path or Name of the file containing expected pcr values for the ++specified index. ++Default is to read the current PCRs per the set list. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.PP ++To write the file nv.data to index 0x150016: ++.IP ++.nf ++\f[C] ++tpm2_nvwrite\ \-x\ 0x1500016\ \-a\ 0x40000001\ nv.data ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_pcrevent.1 tpm2-tools-3.0.4-new/man/man1/tpm2_pcrevent.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_pcrevent.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_pcrevent.1 2018-09-10 07:57:16.965540510 -0700 +@@ -0,0 +1,162 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_pcrevent" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_pcrevent\f[](1) \- hashes a file and optionally extends a pcr. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_pcrevent\f[] [\f[I]OPTIONS\f[]] [\f[I]FILE\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_pcrevent\f[](1) hashes \f[I]FILE\f[] if specified or stdin. ++It uses all of the hashing algorithms that the tpm supports. ++Optionally, if a pcr index is specified, it extends that pcr for all ++supported algorithms with the hash digest. ++In either case, it outputs to stdout the hash algorithm used and the ++digest value, one per line: ++.PP ++\f[I]alg\f[]:\f[I]digest\f[] ++.PP ++Where \f[I]alg\f[] is the algorithm used (eg. ++sha1) and \f[I]digest\f[] is the digest resulting from the hash ++computation of \f[I]alg\f[] on the data. ++.PP ++See sections 23.1 and sections 17 of the TPM2.0 ++Specification (https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf) ++.SH OPTIONS ++.PP ++These options control extending the pcr: ++.IP \[bu] 2 ++\f[B]\-i\f[], \f[B]\[en]pcr\-index\f[]=\f[I]INDEX\f[]: Not only compute ++the hash digests on \f[I]FILE\f[], also extend the pcr given by ++\f[I]INDEX\f[] for all supported hash algorithms. ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Use ++\f[I]SESSION_HANDLE\f[] for providing an authorization session for the ++pcr specified by \f[I]INDEX\f[]. ++It is an error to specify \f[B]\-S\f[] without specifying a pcr index ++with \f[B]\-i\f[]. ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]password\f[]=\f[I]PASSWORD\f[]: Use ++\f[I]PASSWORD\f[] for providing an authorization value for the pcr ++specified in \f[I]INDEX\f[]. ++It is an error to specify \f[B]\-P\f[] without specifying a pcr index ++with \f[B]\-i\f[]. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.PP ++Hash a file: ++.PP ++tpm2_pcrevent data ++.PP ++Hash a file and extend pcr 8: ++.PP ++tpm2_pcrevent \-i 8 data ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_pcrextend.1 tpm2-tools-3.0.4-new/man/man1/tpm2_pcrextend.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_pcrextend.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_pcrextend.1 2018-09-10 07:57:17.146538037 -0700 +@@ -0,0 +1,178 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_pcrextend" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_pcrextend\f[](1) \- Extends a PCR. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_pcrextend\f[] [\f[I]OPTIONS\f[]] [\f[I]PCR_DIGEST_SPEC\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_pcrextend\f[](1) Extends the pcrs with values indicated by ++\f[I]PCR_DIGEST_SPEC\f[]. ++.PP ++A \f[I]PCR_DIGEST_SPEC\f[] is defined as follows: ++.IP \[bu] 2 ++A numerical pcr identifier. ++.IP \[bu] 2 ++A colon followed by the algorithm hash specification. ++The algorithm hash specification is as follows: ++.RS 2 ++.IP \[bu] 2 ++The algorithm friendly name or raw numerical. ++.IP \[bu] 2 ++An equals sign. ++.IP \[bu] 2 ++The hex hash value. ++.RE ++.PP ++Example Digest Specification: ++.IP ++.nf ++\f[C] ++4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 ++\f[] ++.fi ++.PP ++\f[B]Note\f[]: that multiple specifications of PCR and hash are allowed. ++Multiple hashes cause the pcr to be extended with both hashes. ++Multiple same PCR values cause the PCR to be extended multiple times. ++Extension is done in order from left to right as specified. ++At most 5 hash extensions per PCR entry are supported. ++This is to keep the parser simple. ++.SH OPTIONS ++.PP ++This tool accepts no tool specific options. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.PP ++Extend PCR 4's SHA1 bank with a hash: ++.IP ++.nf ++\f[C] ++tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 ++\f[] ++.fi ++.PP ++Extend PCR 4's SHA1 and SHA256 banks with hashes: ++.IP ++.nf ++\f[C] ++tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15,sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c ++\f[] ++.fi ++.PP ++Extend PCR 4's SHA1 and PCR 7's SHA256 bank with hashes: ++.IP ++.nf ++\f[C] ++tpm2_pcrextend\ 4:sha=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15\ 7:sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_pcrlist.1 tpm2-tools-3.0.4-new/man/man1/tpm2_pcrlist.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_pcrlist.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_pcrlist.1 2018-09-10 07:57:17.326535577 -0700 +@@ -0,0 +1,244 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_pcrlist" "1" "AUGUST 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_pcrlist\f[](1) \- List PCR values. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_pcrlist\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_pcrlist\f[](1) Displays PCR values. ++Without any options, \f[B]tpm2_pcrlist\f[] outputs all pcrs and their ++hash banks. ++One can use either the \f[B]\-g\f[] or \f[B]\-L\f[] mutually exclusive ++options to filter the output. ++.PP ++Output is writtien in a YAML format to stdout, with each algorithm ++followed by a PCR index and its value. ++As a simple example assume just sha1 and sha256 support and only 1 PCR. ++The output would be: ++.IP ++.nf ++\f[C] ++sha1\ : ++\ \ 0\ \ :\ 0000000000000000000000000000000000000003 ++sha256\ : ++\ \ 0\ \ :\ 0000000000000000000000000000000000000000000000000000000000000003 ++\f[] ++.fi ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\[en]algorithm\f[]=\f[I]HASH_ALGORITHM\f[]: Only ++output PCR banks with the given algorithm. ++Algorithms should follow the \[lq]formatting standards, see ++section\[rq]Algorithm Specifiers\[lq]. Also, see section\[rq]Supported ++Hash Algorithms" for a list of supported hash algorithms. ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]output\f[]=\f[I]FILE\f[]: The output file to ++write the PCR values in binary format, optional. ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\[en]sel\-list\f[]=\f[I]PCR_SELECTION_LIST\f[]: ++.RS 2 ++.PP ++The list of pcr banks and selected PCRs' ids for each bank to display. ++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers ++standards, see section \[lq]PCR Bank Specfiers\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\[en]algs\f[]: Output the list of supported ++algorithms. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH PCR Bank Specfiers ++.PP ++PCR Bank Selection lists follow the below specification: ++.IP ++.nf ++\f[C] ++:[,] ++\f[] ++.fi ++.PP ++multiple banks may be separated by `+'. ++.PP ++For example: ++.IP ++.nf ++\f[C] ++sha:3,4+sha256:5,6 ++\f[] ++.fi ++.PP ++will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the ++SHA256 bank. ++.SS Note ++.PP ++PCR Selections allow for up to 5 hash to pcr selection mappings. ++This is a limitaion in design in the single call to the tpm to get the ++pcr values. ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support \[lq]nice\-names\[rq]. ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.PP ++display all PCR values: ++.IP ++.nf ++\f[C] ++tpm2_pcrlist ++\f[] ++.fi ++.PP ++Display the PCR values with a specified bank: ++.IP ++.nf ++\f[C] ++tpm2_pcrlist\ \-g\ sha1 ++\f[] ++.fi ++.PP ++Display the PCR values with specified banks and store in a file: ++.IP ++.nf ++\f[C] ++tpm2_pcrlist\ \-L\ sha1:16,17,18+sha256:16,17,18\ \-o\ pcrs ++\f[] ++.fi ++.PP ++Display the supported PCR bank algorithms and exit: ++.IP ++.nf ++\f[C] ++tpm2_pcrlist\ \-s ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_quote.1 tpm2-tools-3.0.4-new/man/man1/tpm2_quote.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_quote.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_quote.1 2018-09-10 07:57:17.506533117 -0700 +@@ -0,0 +1,256 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_quote" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_quote\f[](1) \- Provide a quote and signature from the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_quote\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_quote\f[](1) Provide quote and signature for given list of ++PCRs in given algorithm/banks. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\[en]ak\-handle\f[]=\f[I]AK_HANDLE\f[]: ++.RS 2 ++.PP ++Handle of existing AK. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]ak\-context\f[]=\f[I]AK_CONTEXT_FILE\f[]: ++.RS 2 ++.PP ++Filename for the existing AK's context. ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]ak\-password\f[]=\f[I]AK_PASSWORD\f[]: ++.RS 2 ++.PP ++specifies the password of \f[I]AK_HANDLE\f[]. ++Passwords should follow the password formatting standards, see section ++\[lq]Password Formatting\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-l\f[], \f[B]\[en]id\-list\f[]=\f[I]PCR_ID_LIST\f[] ++.RS 2 ++.PP ++The comma separated list of selected PCRs' ids, 0~23 e.g. ++\[lq]4,5,6\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\[en]sel\-list\f[]=\f[I]PCR_SELECTION_LIST\f[]: ++.RS 2 ++.PP ++The list of pcr banks and selected PCRs' ids for each bank. ++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers ++standards, see section \[lq]PCR Bank Specfiers\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-m\f[], \f[B]\[en]message\f[]: ++.RS 2 ++.PP ++message output file, records the quote message that makes up the data ++that is signed by the TPM. ++.RE ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\[en]signature\f[]: ++.RS 2 ++.PP ++signature output file, records the signature in the format specified via ++the \f[B]\-f\f[] option. ++.RE ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\[en]format\f[] ++.RS 2 ++.PP ++Format selection for the signature output file. ++See section \[lq]Signature Format Specifiers\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-q\f[], \f[B]\[en]qualify\-data\f[]: ++.RS 2 ++.PP ++Data given as a Hex string to qualify the quote, optional. ++This is typically used to add a nonce against replay attacks. ++.RE ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: Optional ++Input session handle from a policy session for authorization. ++.IP \[bu] 2 ++\f[B]\-G\f[], \f[B]\[en]sig\-hash\-algorithm\f[]: ++.RS 2 ++.PP ++Hash algorithm for signature. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH PCR Bank Specfiers ++.PP ++PCR Bank Selection lists follow the below specification: ++.IP ++.nf ++\f[C] ++:[,] ++\f[] ++.fi ++.PP ++multiple banks may be separated by `+'. ++.PP ++For example: ++.IP ++.nf ++\f[C] ++sha:3,4+sha256:5,6 ++\f[] ++.fi ++.PP ++will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the ++SHA256 bank. ++.SS Note ++.PP ++PCR Selections allow for up to 5 hash to pcr selection mappings. ++This is a limitaion in design in the single call to the tpm to get the ++pcr values. ++.SH Signature Format Specifiers ++.PP ++Format selection for the signature output file. ++\f[B]tss\f[] (the default) will output a binary blob according to the ++TPM 2.0 specification and any potential compiler padding. ++The option \f[B]plain\f[] will output the plain signature data as ++defined by the used cryptographic algorithm. ++# EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_quote\ \-k\ 0x81010002\ \-P\ abc123\ \-g\ sha1\ \-l\ 16,17,18 ++tpm2_quote\ \-c\ ak.context\ \-P\ "str:abc123"\ \-g\ sha1\ \-l\ 16,17,18 ++tpm2_quote\ \-k\ 0x81010002\ \-g\ sha1\ \-l\ 16,17,18 ++tpm2_quote\ \-c\ ak.context\ \-g\ sha1\ \-l\ 16,17,18 ++tpm2_quote\ \-k\ 0x81010002\ \-P\ "hex:123abc"\ \-L\ sha1:16,17,18+sha256:16,17,18\ \-q\ 11aa22bb ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_rc_decode.1 tpm2-tools-3.0.4-new/man/man1/tpm2_rc_decode.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_rc_decode.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_rc_decode.1 2018-09-10 07:57:17.680530739 -0700 +@@ -0,0 +1,132 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_rc_decode" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_rc_decode\f[](1) \- Decode TPM2 error codes to human readable ++format. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_rc_decode\f[] [\f[I]OPTIONS\f[]] \f[I]RC_CODE\f[] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_rc_decode\f[](1) converts \f[I]RC_CODE\f[] originating from ++the SAPI and TCTI into human readable errors. ++Analogous to strerror(3), but for the tpm2 stack. ++.SH OPTIONS ++.PP ++This tool takes no tool specific options. ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_rc_decode\ 0x100 ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_readpublic.1 tpm2-tools-3.0.4-new/man/man1/tpm2_readpublic.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_readpublic.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_readpublic.1 2018-09-10 07:57:17.852528388 -0700 +@@ -0,0 +1,155 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_readpublic" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_readpublic\f[](1) \- Read the public area of a loaded object. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_readpublic\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_readpublic\f[](1) Reads the public area of a loaded object. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\[en]object\f[]=\f[I]HANDLE\f[]: ++.RS 2 ++.PP ++The loaded object handle to read the public data of. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]ak\-context\f[]=\f[I]OBJECT_CONTEXT_FILE\f[]: ++.RS 2 ++.PP ++Filename for object context. ++.RE ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]opu\f[]: ++.RS 2 ++.PP ++The output file path, recording the public portion of the object. ++.RE ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\[en]format\f[]: ++.RS 2 ++.PP ++Format selection for the public key output file. ++`tss' (the default) will output a binary blob according to the TPM 2.0 ++secification. ++`pem' will output an OpenSSL compatible PEM encoded public key. ++`der' will output an OpenSSL compatible DER encoded public key. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_readpublic\ \-H\ 0x81010002\ \-\-opu\ output.dat ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_rsadecrypt.1 tpm2-tools-3.0.4-new/man/man1/tpm2_rsadecrypt.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_rsadecrypt.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_rsadecrypt.1 2018-09-10 07:57:18.040525819 -0700 +@@ -0,0 +1,192 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_rsadecrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_rsadecrypt\f[](1) \- Performs an RSA Decryption operation ++using the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_tpm2_rsadecrypt\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_rsadecrypt\f[](1) performs RSA decryption using the indicated ++padding scheme according to IETF RFC 3447 (PKCS#1). ++The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[]. ++.PP ++The key referenced by keyHandle is \f[B]required\f[] to be: ++.IP "1." 3 ++an RSA key ++.IP "2." 3 ++Have the attribute \f[I]decrypt\f[] \f[B]SET\f[] in it's attributes. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_HANDLE\f[]: ++.RS 2 ++.PP ++the public portion of RSA key to use for decryption. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: ++.RS 2 ++.PP ++filename of the key context used for the operation. ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: ++.RS 2 ++.PP ++specifies the password of \f[I]KEY_HANDLE\f[]. ++Passwords should follow the password formatting standards, see section ++\[lq]Password Formatting\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-I\f[], \f[B]\[en]in\-file\f[]=\f[I]INPUT\f[]: ++.RS 2 ++.PP ++Input file path, containing the data to be decrypted. ++.RE ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]out\-file\f[]=\f[I]OUTPUT_FILE\f[]: ++.RS 2 ++.PP ++Output file path, record the decrypted data. ++.RE ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: ++.RS 2 ++.PP ++Optional Input session handle from a policy session for authorization. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_rsadecrypt\ \-k\ 0x81010001\ \-I\ encrypted.in\ \-o\ plain.out ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_rsaencrypt.1 tpm2-tools-3.0.4-new/man/man1/tpm2_rsaencrypt.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_rsaencrypt.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_rsaencrypt.1 2018-09-10 07:57:18.219523373 -0700 +@@ -0,0 +1,189 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_rsaencrypt" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_rsaencrypt\f[](1) \- Performs an RSA Encryption operation ++using the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_rsaencrypt\f[] [\f[I]OPTIONS\f[]] \f[I]FILE\f[] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_rsaencrypt\f[](1) performs RSA encryption on the contents of ++\f[I]FILE\f[] (defaulting to stdin) using the indicated padding scheme ++according to IETF RFC 3447 (PKCS#1). ++The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[]. ++.PP ++The key referenced by keyHandle is \f[B]required\f[] to be: ++.IP "1." 3 ++an RSA key ++.IP "2." 3 ++Have the attribute \f[I]decrypt\f[] \f[B]SET\f[] in it's attributes. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_HANDLE\f[]: ++.RS 2 ++.PP ++the public portion of RSA key to use for encryption. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: ++.RS 2 ++.PP ++filename of the key context used for the operation. ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: ++.RS 2 ++.PP ++specifies the password of \f[I]KEY_HANDLE\f[]. ++Passwords should follow the password formatting standards, see section ++\[lq]Password Formatting\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]out\-file\f[]=\f[I]OUTPUT_FILE\f[]: ++.RS 2 ++.PP ++Output file path, record the decrypted data. ++The default is to print an xxd compatible hexdump to stdout. ++If a file is specified, raw binary output is performed. ++.RE ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: ++.RS 2 ++.PP ++Optional Input session handle from a policy session for authorization. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_rsaencrypt\ \-k\ 0x81010001\ \-I\ plain.in\ \-o\ encrypted.out ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_send.1 tpm2-tools-3.0.4-new/man/man1/tpm2_send.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_send.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_send.1 2018-09-10 07:57:18.394520981 -0700 +@@ -0,0 +1,147 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_send" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_send\f[](1) \- Send a raw command buffer to the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_send\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_send\f[](1) Sends a TPM command to the TPM. ++The command is read from a file as a binary stream and transmitted to ++the TPM using the TCTI specified by the caller. ++The response received from the TPM is written to the output file. ++.PP ++Likely the caller will want to redirect this to a file or into a program ++to decode and display the response in a human readable form. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]out\-file\f[]=\f[I]OUTPUT_FILE\f[]: ++.RS 2 ++.PP ++Output file to send response buffer to. ++Defaults to stdout. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.PP ++Send the contents of tpm2\-command.bin to a device and collect the ++response as tpm2\-response.bin. ++All examples of below accomplish this task. ++.IP ++.nf ++\f[C] ++tpm2_send\ \-\-tcti=device\ <\ tpm2\-command.bin\ >\ tpm2\-response.bin ++tpm2_send\ \-\-tcti=device\ \-i\ tpm2\-command.bin\ >\ tpm2\-response.bin ++tpm2_send\ \-\-tcti=device\ <\ tpm2\-command.bin\ \-o\ tpm2\-response.bin ++tpm2_send\ \-\-tcti=device\ \-i\ tpm2\-command.bin\ \-o\ tpm2\-response.bin ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_sign.1 tpm2-tools-3.0.4-new/man/man1/tpm2_sign.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_sign.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_sign.1 2018-09-10 07:57:18.572518548 -0700 +@@ -0,0 +1,245 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_sign" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_sign\f[](1) \- Sign a hash using the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_sign\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_sign\f[](1) signs an externally provided hash with the ++specified symmetric or asymmetric signing key. ++If keyHandle references a restricted signing key, then validation shall ++be provided, indicating that the TPM performed the hash of the data and ++validation shall indicate that hashed data did not start with ++\f[B]TPM_GENERATED_VALUE\f[]. ++The scheme of keyHandle should not be \f[B]TPM_ALG_NULL\f[]. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_HANDLE\f[]: ++.RS 2 ++.PP ++Handle of key that will perform signing. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: ++.RS 2 ++.PP ++Filename of the key context used for the operation. ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: ++.RS 2 ++.PP ++Specifies the password of \f[I]KEY_HANDLE\f[]. ++Passwords should follow the password formatting standards, see section ++\[lq]Password Formatting\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\[en]halg\f[]=\f[I]HASH_ALGORITHM\f[]: ++.RS 2 ++.PP ++The hash algorithm used to digest the message. ++Algorithms should follow the \[lq]formatting standards, see ++section\[rq]Algorithm Specifiers\[lq]. Also, see section\[rq]Supported ++Hash Algorithms" for a list of supported hash algorithms. ++.RE ++.IP \[bu] 2 ++\f[B]\-m\f[], \f[B]\[en]msg\f[]=\f[I]MSG_FILE\f[]: ++.RS 2 ++.PP ++The message file, containing the content to be digested. ++.RE ++.IP \[bu] 2 ++\f[B]\-t\f[], \f[B]\[en]ticket\f[]=\f[I]TICKET_FILE\f[]: ++.RS 2 ++.PP ++The ticket file, containning the validation structure, optional. ++.RE ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\[en]sig\f[]=\f[I]TICKET_FILE\f[]: ++.RS 2 ++.PP ++The signature file, records the signature structure. ++.RE ++.IP \[bu] 2 ++\f[B]\-f\f[], \f[B]\[en]format\f[] ++.RS 2 ++.PP ++Format selection for the signature output file. ++See section \[lq]Signature Format Specifiers\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: ++.RS 2 ++.PP ++Optional Input session handle from a policy session for authorization. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support \[lq]nice\-names\[rq]. ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH Signature Format Specifiers ++.PP ++Format selection for the signature output file. ++\f[B]tss\f[] (the default) will output a binary blob according to the ++TPM 2.0 specification and any potential compiler padding. ++The option \f[B]plain\f[] will output the plain signature data as ++defined by the used cryptographic algorithm. ++# EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_sign\ \-k\ 0x81010001\ \-P\ abc123\ \-g\ sha256\ \-m\ \ \-s\ \ \-t\ ++tpm2_sign\ \-c\ key.context\ \-P\ abc123\ \-g\ sha256\ \-m\ \ \-s\ \ \-t\ ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_startup.1 tpm2-tools-3.0.4-new/man/man1/tpm2_startup.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_startup.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_startup.1 2018-09-10 07:57:18.742516225 -0700 +@@ -0,0 +1,139 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_startup" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_startup\f[](1) \- Send a startup command to the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_startup\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_startup\f[](1) Send a \f[B]TPM2_Startup\f[] command with ++either \f[B]TPM_SU_CLEAR\f[] or \f[B]TPM_SU_STATE\f[]. ++.PP ++\f[B]NOTE\f[]: Typically a Resource Manager or low\-level/boot software ++will have already sent this command. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]clear\f[]: ++.RS 2 ++.PP ++Startup type sent will be \f[B]TPM_SU_CLEAR\f[] instead of ++\f[B]TPM2_SU_STATE\f[]. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_startup ++tpm2_startup\ \-c ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_takeownership.1 tpm2-tools-3.0.4-new/man/man1/tpm2_takeownership.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_takeownership.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_takeownership.1 2018-09-10 07:57:18.932513629 -0700 +@@ -0,0 +1,221 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_takeownership" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_takeownership\f[](1) \- Insert authorization values for the ++owner, endorsement and lockout authorizations. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_takeownership\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_takeownership\f[](1) \- performs a hash operation on ++\f[I]FILE\f[] and returns the results. ++If \f[I]FILE\f[] is not specified, then data is read from stdin. ++If the results of the hash will be used in a signing operation that uses ++a restricted signing key, then the ticket returned by this command can ++indicate that the hash is safe to sign. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]owner\-password\f[]=\f[I]OWNER_PASSWORD\f[]: The ++new owner authorization value. ++.RS 2 ++.PP ++Passwords should follow the password formatting standards, see section ++\[lq]Password Formatting\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-e\f[], \f[B]\[en]endorse\-password\f[]=\f[I]ENDORSE_PASSWORD\f[]: ++.RS 2 ++.PP ++The new endorse authorization value. ++Passwords should follow the same formatting requirements as the \-o ++option. ++.RE ++.IP \[bu] 2 ++\f[B]\-l\f[], \f[B]\[en]lockout\-password\f[]=\f[I]LOCKOUT_PASSWORD\f[]: ++.RS 2 ++.PP ++The new lockout authorization value. ++.PP ++The new endorse authorization value. ++Passwords should follow the same formatting requirements as the \-o ++option. ++.RE ++.IP \[bu] 2 ++\f[B]\-O\f[], ++\f[B]\[en]old\-ownerPassword\f[]=\f[I]OLD_OWNER_PASSWORD\f[]: ++.RS 2 ++.PP ++The old owner authorization value. ++Passwords should follow the same formatting requirements as the \-o ++option. ++.RE ++.IP \[bu] 2 ++\f[B]\-E\f[], ++\f[B]\[en]old\-endorsePassword\f[]=\f[I]OLD_ENDORSE_PASSWORD\f[]: ++.RS 2 ++.PP ++The old endorse authorization value. ++Passwords should follow the same formatting requirements as the \-o ++option. ++.RE ++.IP \[bu] 2 ++\f[B]\-L\f[], ++\f[B]\[en]old\-lockoutPassword\f[]=\f[I]OLD_LOCKOUT_PASSWORD\f[]: ++.RS 2 ++.PP ++The old lockout authorization value. ++Passwords should follow the same formatting requirements as the \-o ++option. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]clear\f[]: ++.RS 2 ++.PP ++Clears the 3 authorizations values with lockout auth, thus one must ++specify \-L. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH EXAMPLES ++.PP ++Set owner, endorsement and lockout authorizations to an empty auth ++value: ++.IP ++.nf ++\f[C] ++tpm2_takeownership\ \-c\ \-L\ oldlockoutpasswd ++\f[] ++.fi ++.PP ++Set owner, endorsement and lockout authorizations to a new value: ++.IP ++.nf ++\f[C] ++tpm2_takeownership\ \-o\ newo\ \-e\ newe\ \-l\ newl\ \-O\ oldo\ \-E\ olde\ \-L\ oldl ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_unseal.1 tpm2-tools-3.0.4-new/man/man1/tpm2_unseal.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_unseal.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_unseal.1 2018-09-10 07:57:19.123511018 -0700 +@@ -0,0 +1,233 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_unseal" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_unseal\f[](1) \- Returns the data in a loaded Sealed Data ++Object. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_unseal\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_unseal\f[](1) \- \-returns the data in a loaded Sealed Data ++Object. ++.PP ++\f[B]NOTE\f[]: The \f[B]\[en]set\-list\f[] and ++\f[B]\[en]pcr\-input\-file\f[] options should only be used for simple ++PCR authentication policies. ++For more complex policies the tools should be ran in an execution ++environment that keeps the session context alive and pass that session ++using the \f[B]\[en]input\-session\-handle\f[] option. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-H\f[], \f[B]\[en]item\f[]=\f[I]ITEM_HANDLE\f[]: ++.RS 2 ++.PP ++Item handle of loaded object. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]item\-context\f[]=\f[I]ITEM_CONTEXT_FILE\f[]: ++.RS 2 ++.PP ++Filename of the item context. ++.RE ++.IP \[bu] 2 ++\f[B]\-P\f[], \f[B]\[en]pwdk\f[]=\f[I]KEY_PASSWORD\f[]: ++.RS 2 ++.PP ++Specifies the password of \f[I]ITEM_HANDLE\f[]. ++Passwords should follow the password formatting standards, see section ++\[lq]Password Formatting\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-o\f[], \f[B]\[en]outfile\f[]=\f[I]OUT_FILE\f[]: ++.RS 2 ++.PP ++Output file name, containing the unsealed data. ++Defaults to stdout if not specified. ++.RE ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: ++.RS 2 ++.PP ++Optional Input session handle from a policy session for authorization. ++.RE ++.IP \[bu] 2 ++\f[B]\-L\f[], \f[B]\[en]set\-list\f[]==\f[I]PCR_SELECTION_LIST\f[]: ++.RS 2 ++.PP ++The list of pcr banks and selected PCRs' ids. ++\f[I]PCR_SELECTION_LIST\f[] values should follow the pcr bank specifiers ++standards, see section \[lq]PCR Bank Specfiers\[rq]. ++.RE ++.IP \[bu] 2 ++\f[B]\-F\f[],**\[en]pcr\-input\-file=\f[I]PCR_INPUT_FILE\f[] ++.RS 2 ++.PP ++Optional Path or Name of the file containing expected pcr values for the ++specified index. ++Default is to read the current PCRs per the set list. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH PCR Bank Specfiers ++.PP ++PCR Bank Selection lists follow the below specification: ++.IP ++.nf ++\f[C] ++:[,] ++\f[] ++.fi ++.PP ++multiple banks may be separated by `+'. ++.PP ++For example: ++.IP ++.nf ++\f[C] ++sha:3,4+sha256:5,6 ++\f[] ++.fi ++.PP ++will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the ++SHA256 bank. ++.SS Note ++.PP ++PCR Selections allow for up to 5 hash to pcr selection mappings. ++This is a limitaion in design in the single call to the tpm to get the ++pcr values. ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_unseal\ \-H\ 0x81010001\ \-P\ abc123\ \-o\ out.dat ++tpm2_unseal\ \-c\ item.context\ \-P\ abc123\ \-o\ out.dat ++tpm2_unseal\ \-H\ 0x81010001\ \-P\ "hex:123abc"\ \-o\ out.dat ++tpm2_unseal\ \-c\ item.context\ \-L\ sha1:0,1,2\ \-F\ out.dat ++\f[] ++.fi ++.SH RETURNS ++.PP ++0 on success or 1 on failure. ++.SH BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.SH HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) +diff -urN tpm2-tools-3.0.4/man/man1/tpm2_verifysignature.1 tpm2-tools-3.0.4-new/man/man1/tpm2_verifysignature.1 +--- tpm2-tools-3.0.4/man/man1/tpm2_verifysignature.1 1969-12-31 17:00:00.000000000 -0700 ++++ tpm2-tools-3.0.4-new/man/man1/tpm2_verifysignature.1 2018-09-10 07:57:19.305508531 -0700 +@@ -0,0 +1,244 @@ ++.\" Automatically generated by Pandoc 2.0.6 ++.\" ++.TH "tpm2_verifysignature" "1" "SEPTEMBER 2017" "tpm2\-tools" "General Commands Manual" ++.hy ++.SH NAME ++.PP ++\f[B]tpm2_verifysignature\f[](1) \- Validates a signature using the TPM. ++.SH SYNOPSIS ++.PP ++\f[B]tpm2_verifysignature\f[] [\f[I]OPTIONS\f[]] ++.SH DESCRIPTION ++.PP ++\f[B]tpm2_verifysignature\f[](1) uses loaded keys to validate a ++signature on a message with the message digest passed to the TPM. ++If the signature check succeeds, then the TPM will produce a ++\f[B]TPMT_TK_VERIFIED\f[]. ++Otherwise, the TPM shall return \f[B]TPM_RC_SIGNATURE\f[]. ++If \f[I]KEY_HANDLE\f[] references an asymmetric key, only the public ++portion of the key needs to be loaded. ++If \f[I]KEY_HANDLE\f[] references a symmetric key, both the public and ++private portions need to be loaded. ++.SH OPTIONS ++.IP \[bu] 2 ++\f[B]\-k\f[], \f[B]\[en]key\-handle\f[]=\f[I]KEY_HANDLE\f[]: ++.RS 2 ++.PP ++Handle of key that will used in the validation. ++.RE ++.IP \[bu] 2 ++\f[B]\-c\f[], \f[B]\[en]key\-context\f[]=\f[I]KEY_CONTEXT_FILE\f[]: ++.RS 2 ++.PP ++Filename of the key context used for the operation. ++.RE ++.IP \[bu] 2 ++\f[B]\-g\f[], \f[B]\[en]halg\f[]=\f[I]HASH_ALGORITHM\f[]: ++.RS 2 ++.PP ++The hash algorithm used to digest the message. ++Algorithms should follow the \[lq]formatting standards, see ++section\[rq]Algorithm Specifiers\[lq]. Also, see section\[rq]Supported ++Hash Algorithms" for a list of supported hash algorithms. ++.RE ++.IP \[bu] 2 ++\f[B]\-m\f[], \f[B]\[en]msg\f[]=\f[I]MSG_FILE\f[]: ++.RS 2 ++.PP ++The message file, containing the content to be digested. ++.RE ++.IP \[bu] 2 ++\f[B]\-D\f[], \f[B]\[en]digest\f[]=\f[I]DIGEST_FILE\f[]: ++.RS 2 ++.PP ++The input hash file, containing the hash of the message. ++If this option is selected, then the message (\f[B]\-m\f[]) and ++algorithm (\f[B]\-g\f[]) options do not need to be specified. ++.RE ++.IP \[bu] 2 ++\f[B]\-s\f[], \f[B]\[en]sig\f[]=\f[I]SIG_FILE\f[]: ++.RS 2 ++.PP ++The input signature file of the signature to be validated. ++.RE ++.IP \[bu] 2 ++\f[B]\-r\f[], \f[B]\[en]raw\f[]: ++.RS 2 ++.PP ++Set the input signature file to raw type. ++The default is TPMT_SIGNATURE. ++.RE ++.IP \[bu] 2 ++\f[B]\-t\f[], \f[B]\[en]ticket\f[]=\f[I]TICKET_FILE\f[]: ++.RS 2 ++.PP ++The ticket file to record the validation structure. ++.RE ++.IP \[bu] 2 ++\f[B]\-S\f[], ++\f[B]\[en]input\-session\-handle\f[]=\f[I]SESSION_HANDLE\f[]: ++.RS 2 ++.PP ++Optional Input session handle from a policy session for authorization. ++.RE ++.SH COMMON OPTIONS ++.PP ++This collection of options are common to many programs and provide ++information that many users may expect. ++.IP \[bu] 2 ++\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage. ++This requires the manpages to be installed or on \f[I]MANPATH\f[], See ++man(1) for more details. ++.IP \[bu] 2 ++\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for ++this tool, supported tctis and exit. ++.IP \[bu] 2 ++\f[B]\-V\f[], \f[B]\[en]verbose\f[]: Increase the information that the ++tool prints to the console during its execution. ++When using this option the file and line number are printed. ++.IP \[bu] 2 ++\f[B]\-Q\f[], \f[B]\[en]quiet\f[]: Silence normal tool output to stdout. ++.IP \[bu] 2 ++\f[B]\-Z\f[], \f[B]\[en]enable\-errata\f[]: Enable the application of ++errata fixups. ++Useful if an errata fixup needs to be applied to commands sent to the ++TPM. ++# TCTI ENVIRONMENT ++.PP ++This collection of environment variables that may be used to configure ++the various TCTI modules available. ++.PP ++The values passed through these variables can be overridden on a ++per\-command basis using the available command line options, see the ++\f[I]TCTI_OPTIONS\f[] section. ++.PP ++The variables respected depend on how the software was configured. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_TCTI_NAME\f[]: Select the TCTI used for communication ++with the next component down the TSS stack. ++In most configurations this will be the TPM but it could be a simulator ++or proxy. ++The current known TCTIs are: ++.RS 2 ++.IP \[bu] 2 ++tabrmd \- The new resource manager, called ++tabrmd (https://github.com/01org/tpm2-abrmd). ++.IP \[bu] 2 ++socket \- Typically used with the old resource manager, or talking ++directly to a simulator. ++.IP \[bu] 2 ++device \- Used when talking directly to a TPM device file. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_DEVICE_FILE\f[]: When using the device TCTI, specify the ++TPM device file. ++The default is \[lq]/dev/tpm0\[rq]. ++.RS 2 ++.PP ++Note: Using the tpm directly requires the users to ensure that ++concurrent access does not occur and that they manage the tpm resources. ++These tasks are usually managed by a resource manager. ++Linux 4.12 and greater supports an in kernel resource manager at ++\[lq]/dev/tpmrm\f[B]\f[]\[rq], typically \[lq]/dev/tpmrm0\[rq]. ++.RE ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_ADDRESS\f[]: When using the socket TCTI, specify ++the domain name or IP address used. ++The default is 127.0.0.1. ++.IP \[bu] 2 ++\f[I]TPM2TOOLS_SOCKET_PORT\f[]: When using the socket TCTI, specify the ++port number used. ++The default is 2321. ++.SH TCTI OPTIONS ++.PP ++This collection of options are used to configure the varous TCTI modules ++available. ++They override any environment variables. ++.IP \[bu] 2 ++\f[B]\-T\f[], ++\f[B]\[en]tcti\f[]=\f[I]TCTI_NAME\f[]\f[B][\f[]:\f[I]TCTI_OPTIONS\f[]\f[B]]\f[]: ++Select the TCTI used for communication with the next component down the ++TSS stack. ++In most configurations this will be the resource manager: ++tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific ++options can appended to \f[I]TCTI_NAME\f[] by appending a \f[B]:\f[] to ++\f[I]TCTI_NAME\f[]. ++.RS 2 ++.IP \[bu] 2 ++For the device TCTI, the TPM device file for use by the device TCTI can ++be specified. ++The default is /dev/tpm0. ++Example: \f[B]\-T device:/dev/tpm0\f[] ++.IP \[bu] 2 ++For the socket TCTI, the domain name or IP address and port number used ++by the socket can be specified. ++The default are 127.0.0.1 and 2321. ++Example: \f[B]\-T socket:127.0.0.1:2321\f[] ++.IP \[bu] 2 ++For the abrmd TCTI, it takes no options. ++Example: \f[B]\-T abrmd\f[] ++.RE ++.SH Password Formatting ++.PP ++Passwords are interpreted in two forms, string and hex\-string. ++A string password is not interpreted, and is directly used for ++authorization. ++A hex\-string, is converted from a hexidecimal form into a byte array ++form, thus allowing passwords with non\-printable and/or terminal ++un\-friendly characters. ++.PP ++By default passwords are assumed to be in the string form. ++Password form is specified with special prefix values, they are: ++.IP \[bu] 2 ++str: \- Used to indicate it is a raw string. ++Useful for escaping a password that starts with the \[lq]hex:\[rq] ++prefix. ++.IP \[bu] 2 ++hex: \- Used when specifying a password in hex string format. ++.SH Supported Hash Algorithms ++.PP ++Supported hash algorithms are: ++.IP \[bu] 2 ++\f[B]0x4\f[] or \f[B]sha1\f[] for \f[B]TPM_ALG_SHA1\f[] ++\f[B](default)\f[] ++.IP \[bu] 2 ++\f[B]0xB\f[] or \f[B]sha256\f[] for \f[B]TPM_ALG_SHA256\f[] ++.IP \[bu] 2 ++\f[B]0xC\f[] or \f[B]sha384\f[] for \f[B]TPM_ALG_SHA384\f[] ++.IP \[bu] 2 ++\f[B]0xD\f[] or \f[B]sha512\f[] for \f[B]TPM_ALG_SHA512\f[] ++.IP \[bu] 2 ++\f[B]0x12\f[] or \f[B]sm3_256\f[] for \f[B]TPM_ALG_SM3_256\f[] ++.PP ++\f[B]NOTE\f[]: Your TPM may not support all algorithms. ++.SH Algorithm Specfiers ++.PP ++Options that take algorithms support \[lq]nice\-names\[rq]. ++Nice names, like sha1 can be used in place of the raw hex for sha1: 0x4. ++The nice names are converted by stripping the leading \f[B]TPM_ALG_\f[] ++from the Algorithm Name field and converting it to lower case. ++For instance \f[B]TPM_ALG_SHA3_256\f[] becomes \f[B]sha3_256\f[]. ++.PP ++The algorithms can be found at: ++ ++.SH EXAMPLES ++.IP ++.nf ++\f[C] ++tpm2_verifysignature\ \-k\ 0x81010001\ \-g\ sha256\ \-m\ \ \-s\ \ \-t\ ++tpm2_verifysignature\ \-k\ 0x81010001\ \-D\ \ \-s\ \ \-t\ ++tpm2_verifysignature\ \-c\ key.context\ \-g\ sha256\ \-m\ \ \-s\ \ \-t\ ++\f[] ++.fi ++.PP ++RETURNS ++.PP ++0 on success or 1 on failure. ++.PP ++BUGS ++.PP ++Github Issues (https://github.com/01org/tpm2-tools/issues) ++.PP ++HELP ++.PP ++See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2) diff --git a/SOURCES/autoconf-fixup.patch b/SOURCES/autoconf-fixup.patch new file mode 100644 index 0000000..b248354 --- /dev/null +++ b/SOURCES/autoconf-fixup.patch @@ -0,0 +1,10 @@ +diff -urN tpm2-tools-3.0.1/configure.ac tpm2-tools-3.0.1-new/configure.ac +--- tpm2-tools-3.0.1/configure.ac 2017-12-08 11:19:47.000000000 -0700 ++++ tpm2-tools-3.0.1-new/configure.ac 2017-12-15 10:01:43.128340107 -0700 +@@ -1,5 +1,4 @@ +-AC_INIT([tpm2-tools], +- [m4_esyscmd_s([git describe --tags --always --dirty])]) ++AC_INIT([tpm2-tools],[3.0.4]) + AC_CONFIG_MACRO_DIR([m4]) + AC_PROG_CC + LT_INIT diff --git a/SPECS/tpm2-tools.spec b/SPECS/tpm2-tools.spec new file mode 100644 index 0000000..49e553b --- /dev/null +++ b/SPECS/tpm2-tools.spec @@ -0,0 +1,122 @@ +Name: tpm2-tools +Version: 3.0.4 +Release: 3%{?dist} +Summary: A TPM2.0 testing tool build upon TPM2.0-TSS + +License: BSD +URL: https://github.com/tpm2-software/tpm2-tools +Source0: https://github.com/tpm2-software/tpm2-tools/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz + +# work around lack of pandoc in RHEL7 +Patch0: add-man-pages.patch +# Deal with RHEL rpmbuilds not being from git +Patch1: autoconf-fixup.patch +Patch2: 0001-tpm2_create-Use-better-object-attributes-defaults-fo.patch + +BuildRequires: gcc-c++ +BuildRequires: libtool +BuildRequires: autoconf-archive +BuildRequires: pkgconfig(cmocka) +BuildRequires: pkgconfig(libcurl) +BuildRequires: pkgconfig(openssl) +# tpm2-tss-devel provides sapi/tcti-device/tcti-socket +BuildRequires: pkgconfig(sapi) +BuildRequires: pkgconfig(tcti-device) +BuildRequires: pkgconfig(tcti-socket) +BuildRequires: pkgconfig(tcti-tabrmd) + +# this package does not support big endian arch so far, +# and has been verified only on Intel platforms. +ExclusiveArch: %{ix86} x86_64 + +# tpm2-tools is heavily depending on TPM2.0-TSS project, matched tss is required +Requires: tpm2-tss%{?_isa} >= 1.3.0-1%{?dist} + +# tpm2-tools project changed the install path for binaries and man page section +Obsoletes: tpm2-tools <= 2.1.0-2 + +%description +tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss. + +%prep +%autosetup -p1 -n %{name}-%{version} +./bootstrap + +%build +%configure --prefix=/usr --disable-static --disable-silent-rules +%make_build + +%install +%make_install + +%files +%doc README.md CHANGELOG.md +%license LICENSE +%{_bindir}/tpm2_* +%{_mandir}/man1/tpm2_*.1.gz + +%changelog +* Thu Feb 21 2019 Jerry Snitselaar - 3.0.4-3 +- Remove obsolete flag from tpm2_create examples +resolves: rhbz#1570870 + +* Thu Sep 06 2018 Jerry Snitselaar - 3.0.4-2 +- tpm2_create: Use better object attributes defaults for authentication +resolves: rhbz#1627282 + +* Fri Jun 15 2018 Jerry Snitselaar - 3.0.4-1 +- Rebase to 3.0.4 release +resolves: rhbz#1515108 + +* Wed Dec 13 2017 Jerry Snitselaar - 3.0.1-1 +- Rebase to 3.0.1 release +resolves: rhbz#1463100 + +* Wed Oct 18 2017 Jerry Snitselaar - 2.1.0-2 +- Fix potential memory leak +resolves: rhbz#1463100 + +* Wed Aug 30 2017 Jerry Snitselaar - 2.1.0-1 +- Rebase to 2.1.0 release +resolves: rhbz#1463100 + +* Mon May 15 2017 Jerry Snitselaar - 1.1.0-7 +- decide pcrs to read based off data returned from TPM2_GetCapability +resolves: rhbz#1449276 + +* Wed Apr 19 2017 Jerry Snitselaar - 1.1.0-6 +- check for null ptrs in RetrieveEndorsementCredentials + +* Tue Apr 04 2017 Jerry Snitselaar - 1.1.0-5 +- Remove epel dependencies +- Change tpm2-tss dependency to not be tied to 1 version +- Fix resource leak in InitSysContext +- Clean up HashEKPublicKey +- Add needed null checks to tpm2_getmanufec +- clean up resource leak in tpm2_getmanufec +- use strdup to get server address in tpm2_getmanufec +- change preparePcrSelections_g to void +- return on success in print_rc_tpm_error_code +- Update release version +resolves: rhbz#1275029 - Add tpm2.0-tools package + +* Fri Jan 20 2017 Sun Yunying - 1.1.0-4 +- Dependency check failed for Requires again, here to fix this +- Update release version and changelog + +* Thu Jan 19 2017 Sun Yunying - 1.1.0-3 +- Change spec file permission to 644 to avoid rpmlint complain +- Update Requires to fix dependency check error reported in Bodhi +- Remove tpm2-tss-devel version in BuildRequires comment +- Update release version and changelog + +* Wed Dec 21 2016 Sun Yunying - 1.1.0-2 +- Remove pkg_version to avoid dupliate use of version +- Remove redundant BuildRequires for autoconf/automake/pkgconfig +- Add comments for BuildRequires of sapi/tcti-device/tcti-socket +- Use ExclusiveArch instead of ExcludeArch +- Requires tpm2-tss version updated to 1.0-2 +- Updated release version and changelog + +* Fri Dec 2 2016 Sun Yunying - 1.1.0-1 +- Initial version of the package