| .\" Automatically generated by Pandoc 1.19.2.1 |
| .\" |
| .TH "fapi-config" 5 "JULI 2020" "TPM2 Software Stack" |
| .hy |
| .SH "SEE ALSO" |
| .BR fapi-profile (5) |
| .SH DESCRIPTION |
| .SB FAPI configuration file |
| .PP |
| The FAPI parameters which can be adjusted via the configuration file are; |
| .IP \[bu] 2 |
| profile_name: Name of the default cryptographic profile chosen from the |
| profile_dir directory. |
| .IP \[bu] 2 |
| profile_dir: Directory that contains all cryptographic profiles known to |
| FAPI. |
| .IP \[bu] 2 |
| user_dir: The directory where user objects are stored. |
| .IP \[bu] 2 |
| system_dir: The directory where system objects, policies, and imported |
| objects are stored. |
| .IP \[bu] 2 |
| tcti: The TCTI interface which will be used. |
| .IP \[bu] 2 |
| system_pcrs: The PCR registers which are used by the system. |
| .IP \[bu] 2 |
| log_dir: The directory for the event log. |
| .IP \[bu] 2 |
| ek_cert_less: A switch to disable certificate verification (optional). |
| .IP \[bu] 2 |
| ek_fingerprint: The fingerprint of the endorsement key (optional). |
| .PP |
| If not otherwise specified during TSS installation, the default location |
| for the exemplary profiles is /etc/tpm2\-tss/profiles/ and |
| /etc/tpm2\-tss/ for the FAPI configuration file. |
| The environment variable TSS2_FAPICONF can be used to set an alternative |
| pathname for the FAPI configuration file. |
| .SH EXAMPLES |
| .PP |
| The FAPI configuration file is JSON encoded: |
| .IP |
| .nf |
| \f[C] |
| { |
| \ \ \ \ \ "profile_name":\ "P_ECCP256SHA256", |
| \ \ \ \ \ "profile_dir":\ "/etc/tpm2\-tss/fapi\-profiles/", |
| \ \ \ \ \ "user_dir":\ "~/.local/share/tpm2\-tss/user/keystore/", |
| \ \ \ \ \ "system_dir":\ "/home/myhome/keystore/system/keystore", |
| \ \ \ \ \ "tcti":\ "", |
| \ \ \ \ \ "system_pcrs"\ :\ [0,\ 1,\ 2,\ 3,\ 4,\ 5,\ 6,\ 7], |
| \ \ \ \ \ "log_dir"\ :\ "/home/myhome/eventlog/" |
| } |
| \f[] |
| .fi |
| .PP |
| For this example the default TCTI of the system will be used. |
| The certificates for the stored endorsement keys will be checked. |
| If the certificate checking is not needed the option: |
| .PP |
| \f[C]"ek_cert_less":\ "yes"\f[] can be added to the config file. |
| Alternative to the standard certificate checking a fingerprint (hash of |
| the public key) for the stored endorsement key can be defined in the |
| config file: |
| .PP |
| \f[C]"ek_fingerprint":\ \ {\ \ \ \ \ "hashAlg"\ :\ "sha256",\ \ \ \ \ "digest"\ :\ "9e56...214d"\ \ \ \ \ }\f[] |