documented updates

[gnutls.git] / doc / invoke-tpmtool.texi

@node tpmtool Invocation
@subsection Invoking tpmtool
@pindex tpmtool
@cindex GnuTLS TPM tool
@ignore
#  -*- buffer-read-only: t -*- vi: set ro:
# 
# DO NOT EDIT THIS FILE   (invoke-tpmtool.texi)
# 
# It has been AutoGen-ed  July 21, 2012 at 10:14:33 PM by AutoGen 5.16
# From the definitions    ../src/tpmtool-args.def
# and the template file   agtexi-cmd.tpl
@end ignore


Program that allows handling cryptographic data from the TPM chip.

This section was generated by @strong{AutoGen},
using the @code{agtexi-cmd} template and the option descriptions for the @code{tpmtool} program.
This software is released under the GNU General Public License, version 3 or later.


@anchor{tpmtool usage}
@subsubheading tpmtool help/usage (-h)
@cindex tpmtool help

This is the automatically generated usage text for tpmtool.
The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!).  @code{more-help} will print
the usage text by passing it through a pager program.
@code{more-help} is disabled on platforms without a working
@code{fork(2)} function.  The @code{PAGER} environment variable is
used to select the program, defaulting to @file{more}.  Both will exit
with a status code of 0.

@exampleindent 0
@example
tpmtool - GnuTLS TPM tool - Ver. @@VERSION@@
USAGE:  tpmtool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...

   -d, --debug=num            Enable debugging.
                                - It must be in the range:
                                  0 to 9999
       --infile=file          Input file
                                - file must pre-exist
       --outfile=str          Output file
       --generate-rsa         Generate an RSA private-public key pair
       --register             Any generated key will be registered in the TPM
                                - requires these options:
                                generate-rsa
       --signing              Any generated key will be a signing key
                                - requires these options:
                                generate-rsa
                                -- and prohibits these options:
                                legacy
       --legacy               Any generated key will be a legacy key
                                - requires these options:
                                generate-rsa
                                -- and prohibits these options:
                                signing
       --user                 Any registered key will be a user key
                                - requires these options:
                                register
                                -- and prohibits these options:
                                system
       --system               Any registred key will be a system key
                                - requires these options:
                                register
                                -- and prohibits these options:
                                user
       --pubkey=str           Prints the public key of the provided key
       --list                 Lists all stored keys in the TPM
       --delete=str           Delete the key identified by the given URL (UUID).
       --sec-param=str        Specify the security level [low, legacy, normal, high, ultra].
       --bits=num             Specify the number of bits for key generate
       --inder                Use the DER format for keys.
                                - disabled as --no-inder
       --outder               Use DER format for output keys
                                - disabled as --no-outder
   -v, --version[=arg]        Output version information and exit
   -h, --help                 Display extended usage information and exit
   -!, --more-help            Extended usage information passed thru pager

Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.



Program that allows handling cryptographic data from the TPM chip.

please send bug reports to:  bug-gnutls@@gnu.org
@end example
@exampleindent 4

@anchor{tpmtool debug}
@subsubheading debug option (-d)
@cindex tpmtool-debug

This is the ``enable debugging.'' option.
This option takes an argument number.
Specifies the debug level.
@anchor{tpmtool generate-rsa}
@subsubheading generate-rsa option
@cindex tpmtool-generate-rsa

This is the ``generate an rsa private-public key pair'' option.
Generates an RSA private-public key pair in the TPM chip. 
The key may be stored in filesystem and protected by a PIN, or stored (registered)
in the TPM chip flash.
@anchor{tpmtool user}
@subsubheading user option
@cindex tpmtool-user

This is the ``any registered key will be a user key'' option.

@noindent
This option has some usage constraints.  It:
@itemize @bullet
@item
must appear in combination with the following options:
register.
@item
must not appear in combination with any of the following options:
system.
@end itemize

The generated key will be stored in a user specific persistent storage.
@anchor{tpmtool system}
@subsubheading system option
@cindex tpmtool-system

This is the ``any registred key will be a system key'' option.

@noindent
This option has some usage constraints.  It:
@itemize @bullet
@item
must appear in combination with the following options:
register.
@item
must not appear in combination with any of the following options:
user.
@end itemize

The generated key will be stored in system persistent storage.
@anchor{tpmtool sec-param}
@subsubheading sec-param option
@cindex tpmtool-sec-param

This is the ``specify the security level [low, legacy, normal, high, ultra].'' option.
This option takes an argument string @file{Security parameter}.
This is alternative to the bits option. Note however that the
values allowed by the TPM chip are quantized and given values may be rounded up.
@anchor{tpmtool inder}
@subsubheading inder option
@cindex tpmtool-inder

This is the ``use the der format for keys.'' option.
The input files will be assumed to be in the portable
DER format of TPM. The default format is a custom format used by various
TPM tools
@anchor{tpmtool outder}
@subsubheading outder option
@cindex tpmtool-outder

This is the ``use der format for output keys'' option.
The output will be in the TPM portable DER format.
@anchor{tpmtool exit status}
@subsubheading tpmtool exit status

One of the following exit values will be returned:
@table @samp
@item 0 (EXIT_SUCCESS)
Successful program execution.
@item 1 (EXIT_FAILURE)
The operation failed or the command syntax was not valid.
@end table
@anchor{tpmtool See Also}
@subsubheading tpmtool See Also
    p11tool (1), certtool (1)

@anchor{tpmtool Examples}
@subsubheading tpmtool Examples
To generate a key that is to be stored in filesystem use:
@example
$ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem
@end example

To generate a key that is to be stored in TPM's flash use:
@example
$ tpmtool --generate-rsa --bits 2048 --register --user
@end example

To get the public key of a TPM key use:
@example
$ tpmtool --pubkey tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \
          --outfile pubkey.pem
@end example

or if the key is stored in the filesystem:
@example
$ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem
@end example

To list all keys stored in TPM use:
@example
$ tpmtool --list
@end example