Provided by: tpm2-tools_3.1.3-2_amd64 
NAME
tpm2_getmanufec(1) - Retrieve the Endorsement Credential Certificate for the TPM
endorsement key from the TPM manufacturer's endorsement certificate hosting server.
SYNOPSIS
tpm2_getmanufec [OPTIONS] [URL]
DESCRIPTION
tpm2_getmanufec(1) - Retrieve the Endorsement Credential Certificate for the TPM
endorsement key from the TPM manufacturer's endorsement certificate hosting server.
OPTIONS
· -e, –endorse-passwd=ENDORSE_PASSWORD: specifies current endorse password (string,
optional,default:NULL).
· -o, –owner-passwd=OWNER_PASSWORD: specifies current owner password (string,
optional,default:NULL).
· -P, –ek-passwd=EK_PASSWORD: specifies the EK password when created
(string,optional,default:NULL).
Passwords should follow the password formatting standards, see section “Password
Formatting”.
· -H, –handle=HANDLE: specifies the handle used to make EK persistent (hex).
· -g, –alg=ALGORITHM: specifies the algorithm type of EK. See section “Supported Public
Object Algorithms” for a list of supported object algorithms. See section “Algorithm
Specifiers” on how to specify an algorithm argument.
· -f, –output=FILE: Specifies the file used to save the public portion of EK.
· -N, –non-persistent: specifies to readout the EK public without making it persistent.
· -O, –offline=FILE: Specifies the file that contains an EK retrieved from offline
platform that needs to be provisioned.
· -E, –ec-cert=EC_CERT_FILE: Specifies the file used to save the Endorsement Credentials
retrieved from the TPM manufacturer provisioning server. Defaults to stdout if not
specified.
· -U, –SSL_NO_VERIFY: specifies to attempt connecting with the TPM manufacturer
provisioning server with SSL_NO_VERIFY option.
· -S, –input-session-handle=SESSION_HANDLE: Optional Input session handle from a policy
session for authorization.
COMMON OPTIONS
This collection of options are common to many programs and provide information that many
users may expect.
· -h, –help: Display the tools manpage. This requires the manpages to be installed or on
MANPATH, See man(1) for more details.
· -v, –version: Display version information for this tool, supported tctis and exit.
· -V, –verbose: Increase the information that the tool prints to the console during its
execution. When using this option the file and line number are printed.
· -Q, –quiet: Silence normal tool output to stdout.
· -Z, –enable-errata: Enable the application of errata fixups. Useful if an errata fixup
needs to be applied to commands sent to the TPM. # TCTI ENVIRONMENT
This collection of environment variables that may be used to configure the various TCTI
modules available.
The values passed through these variables can be overridden on a per-command basis using
the available command line options, see the TCTI_OPTIONS section.
The variables respected depend on how the software was configured.
· TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with the next component down
the TSS stack. In most configurations this will be the TPM but it could be a simulator
or proxy. The current known TCTIs are:
· tabrmd - The new resource manager, called tabrmd
(https://github.com/01org/tpm2-abrmd).
· socket - Typically used with the old resource manager, or talking directly to a
simulator.
· device - Used when talking directly to a TPM device file.
· TPM2TOOLS_DEVICE_FILE: When using the device TCTI, specify the TPM device file. The
default is “/dev/tpm0”.
Note: Using the tpm directly requires the users to ensure that concurrent access does
not occur and that they manage the tpm resources. These tasks are usually managed by a
resource manager. Linux 4.12 and greater supports an in kernel resource manager at
“/dev/tpmrm”, typically “/dev/tpmrm0”.
· TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify the domain name or IP
address used. The default is 127.0.0.1.
· TPM2TOOLS_SOCKET_PORT: When using the socket TCTI, specify the port number used. The
default is 2321.
TCTI OPTIONS
This collection of options are used to configure the varous TCTI modules available. They
override any environment variables.
· -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communication with the next
component down the TSS stack. In most configurations this will be the resource manager:
tabrmd (https://github.com/01org/tpm2-abrmd) Optionally, tcti specific options can
appended to TCTI_NAME by appending a : to TCTI_NAME.
· For the device TCTI, the TPM device file for use by the device TCTI can be specified.
The default is /dev/tpm0. Example: -T device:/dev/tpm0
· For the socket TCTI, the domain name or IP address and port number used by the socket
can be specified. The default are 127.0.0.1 and 2321. Example: -T
socket:127.0.0.1:2321
· For the abrmd TCTI, it takes no options. Example: -T abrmd
Password Formatting
Passwords are interpreted in two forms, string and hex-string. A string password is not
interpreted, and is directly used for authorization. A hex-string, is converted from a
hexidecimal form into a byte array form, thus allowing passwords with non-printable and/or
terminal un-friendly characters.
By default passwords are assumed to be in the string form. Password form is specified
with special prefix values, they are:
· str: - Used to indicate it is a raw string. Useful for escaping a password that starts
with the “hex:” prefix.
· hex: - Used when specifying a password in hex string format.
Supported Public Object Algorithms
Supported public object algorithms are:
· 0x1 or rsa for TPM_ALG_RSA (default).
· 0x8 or keyedhash for TPM_ALG_KEYEDHASH.
· 0x23 or ecc for TPM_ALG_ECC.
· 0x25 or symcipher for TPM_ALG_SYMCIPHER.
NOTE: Your TPM may not support all algorithms.
Algorithm Specfiers
Options that take algorithms support “nice-names”. Nice names, like sha1 can be used in
place of the raw hex for sha1: 0x4. The nice names are converted by stripping the leading
TPM_ALG_ from the Algorithm Name field and converting it to lower case. For instance
TPM_ALG_SHA3_256 becomes sha3_256.
The algorithms can be found at: <https://trustedcomputinggroup.org/wp-
content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>
NOTES
When the verbose option is specified, additional curl debugging information is provided by
setting the curl mode verbose, see: <https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html>
for more information.
EXAMPLES
tpm2_getmanufec -e abc123 -o abc123 -P passwd -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin https://tpm.manufacturer.com/ekcertserver/
tpm2_getmanufec -e 1a1b1c -o 1a1b1c -P 123abc -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin https://tpm.manufacturer.com/ekcertserver/
RETURNS
0 on success or 1 on failure.
BUGS
Github Issues (https://github.com/01org/tpm2-tools/issues)
HELP
See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)