| .\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) |
| .\" |
| .\" Standard preamble: |
| .\" ======================================================================== |
| .de Sp \" Vertical space (when we can't use .PP) |
| .if t .sp .5v |
| .if n .sp |
| .. |
| .de Vb \" Begin verbatim text |
| .ft CW |
| .nf |
| .ne \\$1 |
| .. |
| .de Ve \" End verbatim text |
| .ft R |
| .fi |
| .. |
| .\" Set up some character translations and predefined strings. \*(-- will |
| .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
| .\" double quote, and \*(R" will give a right double quote. \*(C+ will |
| .\" give a nicer C++. Capital omega is used to do unbreakable dashes and |
| .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, |
| .\" nothing in troff, for use with C<>. |
| .tr \(*W- |
| .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' |
| .ie n \{\ |
| . ds -- \(*W- |
| . ds PI pi |
| . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch |
| . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch |
| . ds L" "" |
| . ds R" "" |
| . ds C` "" |
| . ds C' "" |
| 'br\} |
| .el\{\ |
| . ds -- \|\(em\| |
| . ds PI \(*p |
| . ds L" `` |
| . ds R" '' |
| . ds C` |
| . ds C' |
| 'br\} |
| .\" |
| .\" Escape single quotes in literal strings from groff's Unicode transform. |
| .ie \n(.g .ds Aq \(aq |
| .el .ds Aq ' |
| .\" |
| .\" If the F register is >0, we'll generate index entries on stderr for |
| .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
| .\" entries marked with X<> in POD. Of course, you'll have to process the |
| .\" output yourself in some meaningful fashion. |
| .\" |
| .\" Avoid warning from groff about undefined register 'F'. |
| .de IX |
| .. |
| .nr rF 0 |
| .if \n(.g .if rF .nr rF 1 |
| .if (\n(rF:(\n(.g==0)) \{\ |
| . if \nF \{\ |
| . de IX |
| . tm Index:\\$1\t\\n%\t"\\$2" |
| .. |
| . if !\nF==2 \{\ |
| . nr % 0 |
| . nr F 2 |
| . \} |
| . \} |
| .\} |
| .rr rF |
| .\" |
| .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). |
| .\" Fear. Run. Save yourself. No user-serviceable parts. |
| . \" fudge factors for nroff and troff |
| .if n \{\ |
| . ds #H 0 |
| . ds #V .8m |
| . ds #F .3m |
| . ds #[ \f1 |
| . ds #] \fP |
| .\} |
| .if t \{\ |
| . ds #H ((1u-(\\\\n(.fu%2u))*.13m) |
| . ds #V .6m |
| . ds #F 0 |
| . ds #[ \& |
| . ds #] \& |
| .\} |
| . \" simple accents for nroff and troff |
| .if n \{\ |
| . ds ' \& |
| . ds ` \& |
| . ds ^ \& |
| . ds , \& |
| . ds ~ ~ |
| . ds / |
| .\} |
| .if t \{\ |
| . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" |
| . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' |
| . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' |
| . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' |
| . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' |
| . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' |
| .\} |
| . \" troff and (daisy-wheel) nroff accents |
| .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' |
| .ds 8 \h'\*(#H'\(*b\h'-\*(#H' |
| .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] |
| .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' |
| .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' |
| .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] |
| .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] |
| .ds ae a\h'-(\w'a'u*4/10)'e |
| .ds Ae A\h'-(\w'A'u*4/10)'E |
| . \" corrections for vroff |
| .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' |
| .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' |
| . \" for low resolution devices (crt and lpr) |
| .if \n(.H>23 .if \n(.V>19 \ |
| \{\ |
| . ds : e |
| . ds 8 ss |
| . ds o a |
| . ds d- d\h'-1'\(ga |
| . ds D- D\h'-1'\(hy |
| . ds th \o'bp' |
| . ds Th \o'LP' |
| . ds ae ae |
| . ds Ae AE |
| .\} |
| .rm #[ #] #H #V #F C |
| .\" ======================================================================== |
| .\" |
| .IX Title "swtpm_setup 8" |
| .TH swtpm_setup 8 "2019-07-09" "swtpm" "" |
| .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
| .\" way too many mistakes in technical documents. |
| .if n .ad l |
| .nh |
| .SH "NAME" |
| swtpm_setup \- Swtpm utility to simulate the manufacturing of a TPM 1.2 or 2.0 |
| .SH "SYNOPSIS" |
| .IX Header "SYNOPSIS" |
| \&\fBswtpm_setup [\s-1OPTIONS\s0]\fR |
| .SH "DESCRIPTION" |
| .IX Header "DESCRIPTION" |
| \&\fBswtpm_setup\fR is a tool that prepares the intial state for a libtpms-based |
| \&\s-1TPM.\s0 |
| .PP |
| For creating the initial state of a \s-1TPM 1.2,\s0 swtpm_setup must be run either |
| as root or as the user the that tcsd requires, which is typically tss. |
| .PP |
| The following options are supported: |
| .IP "\fB\-\-runas <userid\fR>" 4 |
| .IX Item "--runas <userid>" |
| Use this userid to run swtpm_setup.sh; by default 'tss' is used. |
| .IP "\fB\-\-config <file\fR>" 4 |
| .IX Item "--config <file>" |
| Path to configuration file containing the tool to use for creating |
| certificates; see also \fBswtpm_setup.conf\fR |
| .Sp |
| If this parameter is not provided, the default configuration file |
| /etc/swtpm_setup.conf will be used. If the environment variable |
| \&\s-1XDG_CONFIG_HOME\s0 is set, the configuration file is assumed to be |
| \&\f(CW$XDG_CONFIG_HOME\fR/swtpm_setup.conf. |
| .IP "\fB\-\-tpm\-state <dir\fR> or \fB\-\-tpmstate <dir\fR>" 4 |
| .IX Item "--tpm-state <dir> or --tpmstate <dir>" |
| Path to a directory where the \s-1TPM\s0's state will be written into; |
| this is a mandatory argument |
| .IP "\fB\-\-tpm <path to executable\fR>" 4 |
| .IX Item "--tpm <path to executable>" |
| Path to the \s-1TPM\s0 executable; this is an optional argument and |
| by default the swtpm executable found in the \s-1PATH\s0 will be used. |
| .IP "\fB\-\-tpm2\fR" 4 |
| .IX Item "--tpm2" |
| Do setup on a \s-1TPM 2\s0; by default a \s-1TPM 1.2\s0 is setup. |
| .IP "\fB\-\-createek\fR" 4 |
| .IX Item "--createek" |
| Create the \s-1EK\s0 |
| .IP "\fB\-\-allow\-signing\fR" 4 |
| .IX Item "--allow-signing" |
| Create an \s-1EK\s0 that can sign. This option requires \-\-tpm2. |
| .Sp |
| Note that the \s-1TCG\s0 specification \*(L"\s-1EK\s0 Credential Profile For \s-1TPM\s0 Family 2.0; Level 0\*(R" |
| suggests in its section on \*(L"\s-1EK\s0 Usage\*(R" that \*(L"the Endorsement Key can be a |
| created as a decryption or signing key.\*(R" However, some platforms will |
| not accept an \s-1EK\s0 as a signing key, or as a signing and encryption key, and |
| therefore this option should be used very carfully. |
| .IP "\fB\-\-decryption\fR" 4 |
| .IX Item "--decryption" |
| Create an \s-1EK\s0 that can be used for key encipherment. This is the default |
| unless \-\-allow\-signing is passed. This option requires \-\-tpm2. |
| .IP "\fB\-\-ecc\fR" 4 |
| .IX Item "--ecc" |
| Create elliptic curve crypto (\s-1ECC\s0) keys; by default \s-1RSA\s0 keys are generated. |
| .IP "\fB\-\-take\-ownership\fR" 4 |
| .IX Item "--take-ownership" |
| Take ownership; this option implies \-\-createek |
| .IP "\fB\-\-ownerpass <password\fR>" 4 |
| .IX Item "--ownerpass <password>" |
| Provide custom owner password; default is ooo |
| .IP "\fB\-\-owner\-well\-known\fR" 4 |
| .IX Item "--owner-well-known" |
| Use a password of all zeros (20 bytes of zeros) as the owner password |
| .IP "\fB\-\-srkpass <password\fR>" 4 |
| .IX Item "--srkpass <password>" |
| Provide custom \s-1SRK\s0 password; default is sss |
| .IP "\fB\-\-srk\-well\-known\fR" 4 |
| .IX Item "--srk-well-known" |
| Use a password of all zeros (20 bytes of zeros) as the \s-1SRK\s0 password |
| .IP "\fB\-\-create\-ek\-cert\fR" 4 |
| .IX Item "--create-ek-cert" |
| Create an \s-1EK\s0 certificate; this implies \-\-createek |
| (\s-1NOT SUPPORTED YET\s0) |
| .IP "\fB\-\-create\-platform\-cert\fR" 4 |
| .IX Item "--create-platform-cert" |
| Create a platform certificate; this implies \-\-create\-ek\-cert |
| .IP "\fB\-\-lock\-nvram\fR" 4 |
| .IX Item "--lock-nvram" |
| Lock \s-1NVRAM\s0 access |
| .IP "\fB\-\-display\fR" 4 |
| .IX Item "--display" |
| At the end display as much info as possible about the configuration |
| of the \s-1TPM\s0 |
| .IP "\fB\-\-logfile <logfile\fR>" 4 |
| .IX Item "--logfile <logfile>" |
| The logfile to log to. By default logging goes to stdout and stderr. |
| .IP "\fB\-\-keyfile <keyfile\fR>" 4 |
| .IX Item "--keyfile <keyfile>" |
| The key file contains an \s-1ASCII\s0 hex key consisting of 32 hex digits with an |
| optional leading '0x'. This is the key to be used by the \s-1TPM\s0 emulator |
| for encrypting the state of the \s-1TPM.\s0 |
| .IP "\fB\-\-keyfile\-fd <file descriptor\fR>" 4 |
| .IX Item "--keyfile-fd <file descriptor>" |
| Like \fB\-\-keyfile\fR but the key will be read from the file descriptor. |
| .IP "\fB\-\-pwdfile <passphrase file\fR>" 4 |
| .IX Item "--pwdfile <passphrase file>" |
| The passphrase file contains a passphrase from which the \s-1TPM\s0 emulator |
| will derive the encyrption key from and use the key for encrypting the \s-1TPM\s0 |
| state. |
| .IP "\fB\-\-pwdfile\-fd <file descriptor\fR>" 4 |
| .IX Item "--pwdfile-fd <file descriptor>" |
| Like \fB\-\-pwdfile\fR but the passphrase will be read from the file descriptor. |
| .IP "\fB\-\-ciper <cipher\fR>" 4 |
| .IX Item "--ciper <cipher>" |
| The cipher may be either aes-cbc or aes\-128\-cbc for 128 bit \s-1AES\s0 encryption, |
| or aes\-256\-cbc for 256 bit \s-1AES\s0 encryption. The same cipher must be used |
| on the \fIswtpm\fR command line later on. |
| .IP "\fB\-\-overwrite\fR" 4 |
| .IX Item "--overwrite" |
| Overwrite existing \s-1TPM\s0 state. All previous state will be erased. |
| If this option is not given and an existing state file is found, an error |
| code is returned. |
| .IP "\fB\-\-not\-overwrite\fR" 4 |
| .IX Item "--not-overwrite" |
| Do not overwrite existing \s-1TPM\s0 state. If exising \s-1TPM\s0 state is found, the |
| program ends without an error. |
| .IP "\fB\-\-vmid <\s-1VM ID\s0\fR>" 4 |
| .IX Item "--vmid <VM ID>" |
| Optional \s-1VM ID\s0 that can be used to keep track of certificates issued |
| for VMs (or containers). This parameter will be passed through to the tool |
| used for creating the certificates and may be required by that tool. |
| .IP "\fB\-\-pcr\-banks <\s-1PCR\s0 banks\fR>" 4 |
| .IX Item "--pcr-banks <PCR banks>" |
| Optional comma-separated list of \s-1PCR\s0 banks to activate. Providing '\-' |
| allows to skip the selection and activates all \s-1PCR\s0 banks. By default |
| the sha1 and sha256 banks are activated. |
| .IP "\fB\-\-swtpm_ioctl <executable\fR>" 4 |
| .IX Item "--swtpm_ioctl <executable>" |
| Pass the path to the swtpm_ioctl executable. By default the swtpm_ioctl |
| in the \s-1PATH\s0 is used. |
| .IP "\fB\-\-tcsd\-system\-ps\-file <file\fR>" 4 |
| .IX Item "--tcsd-system-ps-file <file>" |
| A file to copy \s-1TCSD\s0's system_ps_file to. The system_ps_file contains the |
| \&\s-1TPM 1.2 SRK\s0 public key after taking ownership of the \s-1TPM.\s0 The file is |
| needed by \s-1TCSD\s0 for key related functions. |
| .Sp |
| This option is only useful with \s-1TPM 1.2\s0 and in if ownership is taken. |
| .IP "\fB\-\-print\-capabilities\fR (since v0.2)" 4 |
| .IX Item "--print-capabilities (since v0.2)" |
| Print capabilities that were added to swtpm_setup after version 0.1. The output |
| contains the following: |
| .Sp |
| .Vb 7 |
| \& { |
| \& "type": "swtpm_setup", |
| \& "features": [ |
| \& "cmdarg\-keyfile\-fd", |
| \& "cmdarg\-pwdfile\-fd" |
| \& ] |
| \& } |
| .Ve |
| .Sp |
| The meaning of the feature verbs is as follows: |
| .RS 4 |
| .IP "\fBcmdarg-key-fd\fR" 4 |
| .IX Item "cmdarg-key-fd" |
| The \fI\-\-keyfile\-fd\fR option is supported. |
| .IP "\fBcmdarg-pwd-fd\fR" 4 |
| .IX Item "cmdarg-pwd-fd" |
| The \fI\-\-pwdfile\-fd\fR option is supported. |
| .RE |
| .RS 4 |
| .RE |
| .IP "\fB\-\-help, \-h\fR" 4 |
| .IX Item "--help, -h" |
| Display the help screen |
| .SH "EXAMPLE USAGE" |
| .IX Header "EXAMPLE USAGE" |
| To simulate manufacturing of a \s-1TPM,\s0 one would typically run the following command: |
| .PP |
| .Vb 2 |
| \& #> sudo swtpm_setup \-\-tpmstate /tmp/mytpm1/ \e |
| \& \-\-create\-ek\-cert \-\-create\-platform\-cert \-\-lock\-nvram |
| .Ve |
| .PP |
| Note: since setting up a \s-1TPM 1.2\s0 relies on the \fItcsd\fR for some of its operations, |
| \&\fBswtpm_setup\fR has to be run as root so that it can invoke the \fItcsd\fR either as root |
| or tss user. |
| .PP |
| A normal user can also simulate the manufacturing of a \s-1TPM 2\s0 using the |
| swtpm-localca plugin. The following example assumes that the user has |
| set the environment variable \s-1XDG_CONFIG_HOME\s0 as follows (using bash for |
| example): |
| .PP |
| .Vb 1 |
| \& export XDG_CONFIG_HOME=~/.config |
| .Ve |
| .PP |
| Note: The \s-1XDG_CONFIG_HOME\s0 variable is part of the \s-1XDG\s0 Base Directory |
| Specification. |
| .PP |
| The following configuration files need to be created: |
| .PP |
| ~/.config/swtpm_setup.conf: |
| .PP |
| .Vb 4 |
| \& # Program invoked for creating certificates |
| \& create_certs_tool= /usr/share/swtpm/swtpm\-localca |
| \& create_certs_tool_config = ${XDG_CONFIG_HOME}/swtpm\-localca.conf |
| \& create_certs_tool_options = ${XDG_CONFIG_HOME}/swtpm\-localca.options |
| .Ve |
| .PP |
| ~/.config/swtpm\-localca.conf: |
| .PP |
| .Vb 4 |
| \& statedir = ${XDG_CONFIG_HOME}/var/lib/swtpm\-localca |
| \& signingkey = ${XDG_CONFIG_HOME}/var/lib/swtpm\-localca/signkey.pem |
| \& issuercert = ${XDG_CONFIG_HOME}/var/lib/swtpm\-localca/issuercert.pem |
| \& certserial = ${XDG_CONFIG_HOME}/var/lib/swtpm\-localca/certserial |
| .Ve |
| .PP |
| ~/.config/swtpm\-localca.options: |
| .PP |
| .Vb 3 |
| \& \-\-platform\-manufacturer Fedora |
| \& \-\-platform\-version 2.12 |
| \& \-\-platform\-model QEMU |
| .Ve |
| .PP |
| The following commands now create a \s-1TPM 2\s0 with an \s-1EK\s0 and platform |
| certificate. The state of the \s-1TPM 2\s0 will be stored in the directory |
| ${\s-1XDG_CONFIG_HOME\s0}/mytpm1. |
| .PP |
| .Vb 3 |
| \& #> mkdir \-p ${XDG_CONFIG_HOME}/mytpm1 |
| \& #> swtpm_setup \-\-tpm2 \-\-tpmstate ${XDG_CONFIG_HOME}/mytpm1 \e |
| \& \-\-create\-ek\-cert \-\-create\-platform\-cert \-\-lock\-nvram |
| .Ve |
| .SH "SEE ALSO" |
| .IX Header "SEE ALSO" |
| \&\fBswtpm_setup.conf\fR |
| .SH "REPORTING BUGS" |
| .IX Header "REPORTING BUGS" |
| Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com> |