| .\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) |
| .\" |
| .\" Standard preamble: |
| .\" ======================================================================== |
| .de Sp \" Vertical space (when we can't use .PP) |
| .if t .sp .5v |
| .if n .sp |
| .. |
| .de Vb \" Begin verbatim text |
| .ft CW |
| .nf |
| .ne \\$1 |
| .. |
| .de Ve \" End verbatim text |
| .ft R |
| .fi |
| .. |
| .\" Set up some character translations and predefined strings. \*(-- will |
| .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
| .\" double quote, and \*(R" will give a right double quote. \*(C+ will |
| .\" give a nicer C++. Capital omega is used to do unbreakable dashes and |
| .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, |
| .\" nothing in troff, for use with C<>. |
| .tr \(*W- |
| .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' |
| .ie n \{\ |
| . ds -- \(*W- |
| . ds PI pi |
| . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch |
| . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch |
| . ds L" "" |
| . ds R" "" |
| . ds C` "" |
| . ds C' "" |
| 'br\} |
| .el\{\ |
| . ds -- \|\(em\| |
| . ds PI \(*p |
| . ds L" `` |
| . ds R" '' |
| . ds C` |
| . ds C' |
| 'br\} |
| .\" |
| .\" Escape single quotes in literal strings from groff's Unicode transform. |
| .ie \n(.g .ds Aq \(aq |
| .el .ds Aq ' |
| .\" |
| .\" If the F register is >0, we'll generate index entries on stderr for |
| .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
| .\" entries marked with X<> in POD. Of course, you'll have to process the |
| .\" output yourself in some meaningful fashion. |
| .\" |
| .\" Avoid warning from groff about undefined register 'F'. |
| .de IX |
| .. |
| .nr rF 0 |
| .if \n(.g .if rF .nr rF 1 |
| .if (\n(rF:(\n(.g==0)) \{\ |
| . if \nF \{\ |
| . de IX |
| . tm Index:\\$1\t\\n%\t"\\$2" |
| .. |
| . if !\nF==2 \{\ |
| . nr % 0 |
| . nr F 2 |
| . \} |
| . \} |
| .\} |
| .rr rF |
| .\" |
| .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). |
| .\" Fear. Run. Save yourself. No user-serviceable parts. |
| . \" fudge factors for nroff and troff |
| .if n \{\ |
| . ds #H 0 |
| . ds #V .8m |
| . ds #F .3m |
| . ds #[ \f1 |
| . ds #] \fP |
| .\} |
| .if t \{\ |
| . ds #H ((1u-(\\\\n(.fu%2u))*.13m) |
| . ds #V .6m |
| . ds #F 0 |
| . ds #[ \& |
| . ds #] \& |
| .\} |
| . \" simple accents for nroff and troff |
| .if n \{\ |
| . ds ' \& |
| . ds ` \& |
| . ds ^ \& |
| . ds , \& |
| . ds ~ ~ |
| . ds / |
| .\} |
| .if t \{\ |
| . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" |
| . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' |
| . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' |
| . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' |
| . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' |
| . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' |
| .\} |
| . \" troff and (daisy-wheel) nroff accents |
| .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' |
| .ds 8 \h'\*(#H'\(*b\h'-\*(#H' |
| .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] |
| .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' |
| .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' |
| .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] |
| .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] |
| .ds ae a\h'-(\w'a'u*4/10)'e |
| .ds Ae A\h'-(\w'A'u*4/10)'E |
| . \" corrections for vroff |
| .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' |
| .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' |
| . \" for low resolution devices (crt and lpr) |
| .if \n(.H>23 .if \n(.V>19 \ |
| \{\ |
| . ds : e |
| . ds 8 ss |
| . ds o a |
| . ds d- d\h'-1'\(ga |
| . ds D- D\h'-1'\(hy |
| . ds th \o'bp' |
| . ds Th \o'LP' |
| . ds ae ae |
| . ds Ae AE |
| .\} |
| .rm #[ #] #H #V #F C |
| .\" ======================================================================== |
| .\" |
| .IX Title "swtpm-create-tpmca 8" |
| .TH swtpm-create-tpmca 8 "2018-10-17" "swtpm" "" |
| .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
| .\" way too many mistakes in technical documents. |
| .if n .ad l |
| .nh |
| .SH "NAME" |
| swtpm\-create\-tpmca |
| .SH "SYNOPSIS" |
| .IX Header "SYNOPSIS" |
| \&\fBswtpm-create-tpmca [\s-1OPTIONS\s0]\fR |
| .SH "DESCRIPTION" |
| .IX Header "DESCRIPTION" |
| \&\fBswtpm-create-tpmca\fR is a tool to create a \s-1TPM 1.2\s0 based \s-1CA\s0 that |
| can be used by \fBswtpm-localca\fR to sign \s-1EK\s0 and platform certificates. |
| The \s-1CA\s0 uses a GnuTLS key to sign certificates. To do this, |
| GnuTLS talks to the \s-1TPM 1.2\s0 using the \fBtcsd\fR (TrouSerS) daemon. |
| .PP |
| Since the \s-1TPM CA\s0's certificate must be signed by a \s-1CA,\s0 a root certificate authority |
| will also be created and will sign this certificate. The root \s-1CA\s0's |
| private key and certificate will be located in the same directory as the |
| signing key and have the names swtpm\-localca\-rootca\-privkey.pem and |
| swtpm\-localca\-rootca\-cert.pem respectively. The environment variable |
| \&\s-1SWTPM_ROOTCA_PASSWORD\s0 can be set for the password of the root \s-1CA\s0's |
| private key. |
| .PP |
| Note: This tool is experimental. See the section on known issues below. |
| .PP |
| The following options are supported: |
| .IP "\fB\-\-dir dir\fR" 4 |
| .IX Item "--dir dir" |
| The directory where the keys will be written to. An existing root \s-1CA\s0 with |
| the files \fIswtpm\-localca\-rootca\-privkey.pem\fR and |
| \&\fIswtpm\-localca\-rootca\-cert.pem\fR in this directory will be reused. If |
| either one of these files does not exist, a new root \s-1CA\s0 will be created. |
| .IP "\fB\-\-overwrite\fR" 4 |
| .IX Item "--overwrite" |
| Overwrite the contents of the output directory. |
| .IP "\fB\-\-register\fR" 4 |
| .IX Item "--register" |
| Register the key with \s-1TCSD.\s0 For the key to be available for signing, |
| the same user that created the \s-1TPM CA\s0 has to run the swtpm-localca |
| later on. If this option is not passed, the private key is written |
| into a file and can be used by others as well. |
| .IP "\fB\-\-key\-password s\fR" 4 |
| .IX Item "--key-password s" |
| The new signing key will get this password. |
| .Sp |
| Note: Due to a bug in GnuTLS certtool it may be necessary to use the |
| same password for the signing key as for the \s-1SRK.\s0 |
| .IP "\fB\-\-srk\-password s\fR" 4 |
| .IX Item "--srk-password s" |
| The \s-1TPM SRK\s0 password. |
| .Sp |
| Note: Since GnuTLS tpmtool does not support the 'well known' password |
| of 20 zero bytes, the \s-1SRK\s0 password must be set. |
| .IP "\fB\-\-outfile filename\fR" 4 |
| .IX Item "--outfile filename" |
| The name of a file where to write the swtpm\-localca.conf configuration |
| to. |
| .IP "\fB\-\-owner owner\fR" 4 |
| .IX Item "--owner owner" |
| The name or uid number of the owner who will own the directory and |
| outfile file. This option only has an effect if this swtpm-create-tpmca |
| is run by the root user. |
| .IP "\fB\-\-group group\fR" 4 |
| .IX Item "--group group" |
| The name or gid number of the group who will own the directory and |
| outfile file. This option only has an effect if this swtpm-create-tpmca |
| is run by the root user. |
| .IP "\fB\-\-tss\-tcsd\-hostname\fR" 4 |
| .IX Item "--tss-tcsd-hostname" |
| The hostname where tcsd is running on. The default hostname is 'localhost'. |
| .IP "\fB\-tss\-tcsd\-port\fR" 4 |
| .IX Item "-tss-tcsd-port" |
| The \s-1TCP\s0 port on which tcsd is listening for messages. The default port is |
| 30003. |
| .IP "\fB\-help, \-h, \-?\fR" 4 |
| .IX Item "-help, -h, -?" |
| Display the help screen and exit. |
| .SH "EXAMPLE" |
| .IX Header "EXAMPLE" |
| The following example creates an intermediate \s-1TPM CA\s0 and writes the keys |
| into /var/lib/swtpm\-localca and the swtpm-localca configuration to |
| /etc/swtpm\-localca.conf. It can then be used for signing certificates of |
| newly created \fBswtpm\fR TPMs. |
| .PP |
| .Vb 10 |
| \& #> sudo systemctl start tcsd |
| \& #> sudo /usr/share/swtpm/swtpm\-create\-tpmca \e |
| \& \-\-dir /var/lib/swtpm\-localca \e |
| \& \-\-overwrite \e |
| \& \-\-outfile /etc/swtpm\-localca.conf \e |
| \& \-\-srk\-password password \e |
| \& \-\-key\-password password \e |
| \& \-\-group tss |
| \& statedir = /var/lib/swtpm\-localca |
| \& signingkey = tpmkey:file=/var/lib/swtpm\-localca/swtpm\-localca\-tpmca\-privkey.pem |
| \& issuercert = /var/lib/swtpm\-localca/swtpm\-localca\-tpmca\-cert.pem |
| \& certserial = /var/lib/swtpm\-localca/certserial |
| \& TSS_TCSD_HOSTNAME = localhost |
| \& TSS_TCSD_PORT = 30003 |
| \& signingkey_password = password |
| \& parentkey_password = password |
| .Ve |
| .SH "KNOWN ISSUES" |
| .IX Header "KNOWN ISSUES" |
| The interaction of GnuTLS certtool with the \s-1TPM TCSD\s0 daemon may cause so |
| many \s-1TPM\s0 (key) authentication failures, that the \s-1TPM\s0 refuses to accept any |
| more authenticated commands until the \s-1TPM\s0's owner sends it the |
| TPM_ORD_ResetLockValue command. The reason for this is that certtool first |
| tries to use 20 zero bytes for the \s-1SRK\s0 password and only then prompts for |
| and uses the required \s-1SRK\s0 password. The GnuTLS tpmtool does not support 20 |
| zero bytes for the \s-1SRK\s0 password, so forces the usage of a 'real' password. |
| .PP |
| The effect of the authentication failues may be that the \s-1TPM CA\s0 cannot sign |
| certificates since the \s-1TPM\s0 does not accept authenticated commands. |
| .SH "SEE ALSO" |
| .IX Header "SEE ALSO" |
| \&\fBswtpm-localca\fR, \fBswtpm\-localca.conf\fR, \fBtcsd\fR |
| .SH "REPORTING BUGS" |
| .IX Header "REPORTING BUGS" |
| Report bugs to Stefan Berger <stefanb@linux.ibm.com> |