5.4.4 Invoking tpmtool

Program that allows handling cryptographic data from the TPM chip.

tpmtool help/usage (-?)

The text printed is the same whether selected with the help option (--help) or the more-help option (--more-help). more-help will print the usage text by passing it through a pager program. more-help is disabled on platforms without a working fork(2) function. The PAGER environment variable is used to select the program, defaulting to more. Both will exit with a status code of 0.

tpmtool - GnuTLS TPM tool
Usage:  tpmtool [ -<flag> [<val>] | --<name>[{=| }<val>] ]... 

None:

   -d, --debug=num            Enable debugging
				- it must be in the range:
				  0 to 9999
       --infile=file          Input file
				- file must pre-exist
       --outfile=str          Output file
       --generate-rsa         Generate an RSA private-public key pair
       --register             Any generated key will be registered in the TPM
				- requires the option 'generate-rsa'
       --signing              Any generated key will be a signing key
				- prohibits the option 'legacy'
				- requires the option 'generate-rsa'
       --legacy               Any generated key will be a legacy key
				- prohibits the option 'signing'
				- requires the option 'generate-rsa'
       --user                 Any registered key will be a user key
				- prohibits the option 'system'
				- requires the option 'register'
       --system               Any registered key will be a system key
				- prohibits the option 'user'
				- requires the option 'register'
       --pubkey=str           Prints the public key of the provided key
       --list                 Lists all stored keys in the TPM
       --delete=str           Delete the key identified by the given URL (UUID)
       --test-sign=str        Tests the signature operation of the provided object
       --sec-param=str        Specify the security level [low, legacy, medium, high, ultra]
       --bits=num             Specify the number of bits for key generate
       --inder                Use the DER format for keys
       --outder               Use DER format for output keys
       --srk-well-known       SRK has well known password (20 bytes of zeros)

Version, usage and configuration options:

   -v, --version[=arg]        output version information and exit
   -h, --help                 display extended usage information and exit
   -!, --more-help            extended usage information passed thru pager

Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.

Program that allows handling cryptographic data from the TPM chip.

Please send bug reports to:  <bugs@gnutls.org>

debug option (-d).

This is the “enable debugging” option. This option takes a ArgumentType.NUMBER argument. Specifies the debug level.

generate-rsa option.

This is the “generate an rsa private-public key pair” option. Generates an RSA private-public key pair in the TPM chip. The key may be stored in file system and protected by a PIN, or stored (registered) in the TPM chip flash.

user option.

This is the “any registered key will be a user key” option.

This option has some usage constraints. It:

• must not appear in combination with any of the following options: system.
• must appear in combination with the following options: register.

The generated key will be stored in a user specific persistent storage.

system option.

This is the “any registered key will be a system key” option.

This option has some usage constraints. It:

• must not appear in combination with any of the following options: user.
• must appear in combination with the following options: register.

The generated key will be stored in system persistent storage.

test-sign option.

This is the “tests the signature operation of the provided object” option. This option takes a ArgumentType.STRING argument url. It can be used to test the correct operation of the signature operation. This operation will sign and verify the signed data.

sec-param option.

This is the “specify the security level [low, legacy, medium, high, ultra]” option. This option takes a ArgumentType.STRING argument Security parameter. This is alternative to the bits option. Note however that the values allowed by the TPM chip are quantized and given values may be rounded up.

inder option.

This is the “use the der format for keys” option. The input files will be assumed to be in the portable DER format of TPM. The default format is a custom format used by various TPM tools

outder option.

This is the “use der format for output keys” option. The output will be in the TPM portable DER format.

version option (-v).

This is the “output version information and exit” option. This option takes a ArgumentType.KEYWORD argument. Output version of program and exit. The default mode is ‘v’, a simple version. The ‘c’ mode will print copyright information and ‘n’ will print the full copyright notice.

help option (-h).

This is the “display extended usage information and exit” option. Display usage information and exit.

more-help option (-!).

This is the “extended usage information passed thru pager” option. Pass the extended usage information through a pager.

tpmtool exit status

One of the following exit values will be returned:

‘0 (EXIT_SUCCESS)’

Successful program execution.

‘1 (EXIT_FAILURE)’

The operation failed or the command syntax was not valid.

tpmtool See Also

p11tool (1), certtool (1)

tpmtool Examples

To generate a key that is to be stored in file system use:

$ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem

To generate a key that is to be stored in TPM’s flash use:

$ tpmtool --generate-rsa --bits 2048 --register --user

To get the public key of a TPM key use:

$ tpmtool --pubkey tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \
          --outfile pubkey.pem

or if the key is stored in the file system:

$ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem

To list all keys stored in TPM use:

$ tpmtool --list