blob: 85ec9e6f07780f83b0ea7bdff545f6f6d61795fe (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
AutoGen Definitions options;
prog-name = tpmtool;
prog-title = "GnuTLS TPM tool";
prog-desc = "Program to handle TPM as a cryptographic device.\n";
detail = "Program that allows handling cryptographic data from the TPM chip.";
short-usage = "tpmtool [options]\ntpmtool --help for usage instructions.\n";
explain = "";
#define OUTFILE_OPT 1
#define INFILE_OPT 1
#include args-std.def
flag = {
name = generate-rsa;
descrip = "Generate an RSA private-public key pair";
doc = "Generates an RSA private-public key pair in the TPM chip.
The key may be stored in file system and protected by a PIN, or stored (registered)
in the TPM chip flash.";
};
flag = {
name = register;
descrip = "Any generated key will be registered in the TPM";
flags_must = generate-rsa;
doc = "";
};
flag = {
name = signing;
descrip = "Any generated key will be a signing key";
flags_must = generate-rsa;
flags_cant = legacy;
doc = "";
};
flag = {
name = legacy;
descrip = "Any generated key will be a legacy key";
flags_must = generate-rsa;
flags_cant = signing;
doc = "";
};
flag = {
name = user;
descrip = "Any registered key will be a user key";
flags_must = register;
flags_cant = system;
doc = "The generated key will be stored in a user specific persistent storage.";
};
flag = {
name = system;
descrip = "Any registered key will be a system key";
flags_must = register;
flags_cant = user;
doc = "The generated key will be stored in system persistent storage.";
};
flag = {
name = pubkey;
arg-type = string;
arg-name = "url";
descrip = "Prints the public key of the provided key";
doc = "";
};
flag = {
name = list;
descrip = "Lists all stored keys in the TPM";
doc = "";
};
flag = {
name = delete;
arg-type = string;
arg-name = "url";
descrip = "Delete the key identified by the given URL (UUID).";
doc = "";
};
flag = {
name = test-sign;
arg-type = string;
arg-name = "url";
descrip = "Tests the signature operation of the provided object";
doc = "It can be used to test the correct operation of the signature operation.
This operation will sign and verify the signed data.";
};
flag = {
name = sec-param;
arg-type = string;
arg-name = "Security parameter";
descrip = "Specify the security level [low, legacy, medium, high, ultra].";
doc = "This is alternative to the bits option. Note however that the
values allowed by the TPM chip are quantized and given values may be rounded up.";
};
flag = {
name = bits;
arg-type = number;
descrip = "Specify the number of bits for key generate";
doc = "";
};
flag = {
name = inder;
descrip = "Use the DER format for keys.";
disabled;
disable = "no";
doc = "The input files will be assumed to be in the portable
DER format of TPM. The default format is a custom format used by various
TPM tools";
};
flag = {
name = outder;
descrip = "Use DER format for output keys";
disabled;
disable = "no";
doc = "The output will be in the TPM portable DER format.";
};
flag = {
name = srk-well-known;
descrip = "SRK has well known password (20 bytes of zeros)";
};
doc-section = {
ds-type = 'SEE ALSO';
ds-format = 'texi';
ds-text = <<-_EOT_
p11tool (1), certtool (1)
_EOT_;
};
doc-section = {
ds-type = 'EXAMPLES';
ds-format = 'texi';
ds-text = <<-_EOT_
To generate a key that is to be stored in file system use:
@example
$ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem
@end example
To generate a key that is to be stored in TPM's flash use:
@example
$ tpmtool --generate-rsa --bits 2048 --register --user
@end example
To get the public key of a TPM key use:
@example
$ tpmtool --pubkey tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \
--outfile pubkey.pem
@end example
or if the key is stored in the file system:
@example
$ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem
@end example
To list all keys stored in TPM use:
@example
$ tpmtool --list
@end example
_EOT_;
};
|