1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
% tpm2_createek(1) tpm2-tools | General Commands Manual
# NAME
**tpm2_createek**(1) - Generate TCG profile compliant endorsement key.
# SYNOPSIS
**tpm2_createek** [*OPTIONS*]
# DESCRIPTION
**tpm2_createek**(1) - Generate TCG profile compliant endorsement key (EK),
which is the primary object of the endorsement hierarchy.
If a transient object is generated the tool outputs a context file specified
with **-c**.
Refer to:
<http://www.trustedcomputinggroup.org/files/static_page_files/7CAA5687-1A4B-B294-D04080D058E86C5F>
# OPTIONS
* **-P**, **\--eh-auth**=_AUTH_:
The authorization value for the endorsement hierarchy
* **-w**, **\--owner-auth**=_AUTH_
The authorization value for the owner hierarchy.
* **-c**, **\--ek-context**=_OBJECT_ or _FILE_:
Either a file path or a persistent handle value to save the endorsement key.
If a value of **-** is passed the tool will find a vacant persistent handle
to use and print out the automatically selected handle.
If one saves the context file via this option and the public key via the
**-u** option, the EK can be restored via a call to **tpm2_loadexternal**(1).
* **-G**, **\--key-algorithm**=_ALGORITHM_:
The endorsement key algorithm. Supports:
* **ecc** - An P256 key.
* **rsa** - An RSA2048 key.
* **keyedhash** - hmac key.
* **-u**, **\--public**=_FILE_:
The optional input for a file to save the public portion of endorsement key.
* **-t**, **\--template**:
The optional manufacturer defined endorsement key template and nonce from
fixed NV Indices to populate the **TPM2B_PUBLIC** public area.
See the TCG EK Credential Profile specification for more information:
https://trustedcomputinggroup.org/wp-content/uploads/
TCG_IWG_Credential_Profile_EK_V2.1_R13.pdf
[pubkey options](common/pubkey.md)
Public key format.
## References
[context object format](common/ctxobj.md) details the methods for specifying
_OBJECT_.
[authorization formatting](common/authorizations.md) details the methods for
specifying _AUTH_.
[algorithm specifiers](common/alg.md) details the options for specifying
cryptographic algorithms _ALGORITHM_.
[common options](common/options.md) collection of common options that provide
information many users may expect.
[common tcti options](common/tcti.md) collection of options used to configure
the various known TCTI modules.
# EXAMPLES
### Create an Endorsement Key and make it persistent
```bash
tpm2_createek -P abc123 -w abc123 -c 0x81010001 -G rsa -u ek.pub
```
### Create a transient Endorsement Key, flush it, and reload it.
```bash
tpm2_createek -G rsa -u ek.pub
# Check that it is loaded in transient memory
tpm2_getcap handles-transient
- 0x80000000
# Flush the handle
tpm2_flushcontext 0x80000000
# Note that it is flushed
tpm2_getcap handles-transient
<null output>
# Reload it via loadexternal
tpm2_loadexternal -C o -u ek.pub -c ek.ctx
# Check that it is re-loaded in transient memory
tpm2_getcap handles-transient
- 0x80000000
```
[returns](common/returns.md)
[footer](common/footer.md)
|