Provided by: tpm2-tools_3.1.3-2_amd64 bug

NAME

       tpm2_getmanufec(1)   -  Retrieve  the  Endorsement  Credential  Certificate  for  the  TPM
       endorsement key from the TPM manufacturer's endorsement certificate hosting server.

SYNOPSIS

       tpm2_getmanufec [OPTIONS] [URL]

DESCRIPTION

       tpm2_getmanufec(1)  -  Retrieve  the  Endorsement  Credential  Certificate  for  the   TPM
       endorsement key from the TPM manufacturer's endorsement certificate hosting server.

OPTIONS

       · -e,   –endorse-passwd=ENDORSE_PASSWORD:  specifies  current  endorse  password  (string,
         optional,default:NULL).

       · -o,   –owner-passwd=OWNER_PASSWORD:   specifies   current   owner   password    (string,
         optional,default:NULL).

       · -P,     –ek-passwd=EK_PASSWORD:    specifies    the    EK    password    when    created
         (string,optional,default:NULL).

         Passwords should  follow  the  password  formatting  standards,  see  section  “Password
         Formatting”.

       · -H, –handle=HANDLE: specifies the handle used to make EK persistent (hex).

       · -g,  –alg=ALGORITHM:  specifies the algorithm type of EK.  See section “Supported Public
         Object Algorithms” for a list of supported object algorithms.   See  section  “Algorithm
         Specifiers” on how to specify an algorithm argument.

       · -f, –output=FILE: Specifies the file used to save the public portion of EK.

       · -N, –non-persistent: specifies to readout the EK public without making it persistent.

       · -O,  –offline=FILE:  Specifies  the  file  that  contains  an  EK retrieved from offline
         platform that needs to be provisioned.

       · -E, –ec-cert=EC_CERT_FILE: Specifies the file used to save the  Endorsement  Credentials
         retrieved  from  the  TPM  manufacturer  provisioning server.  Defaults to stdout if not
         specified.

       · -U,  –SSL_NO_VERIFY:  specifies  to  attempt  connecting  with  the   TPM   manufacturer
         provisioning server with SSL_NO_VERIFY option.

       · -S,  –input-session-handle=SESSION_HANDLE:  Optional  Input session handle from a policy
         session for authorization.

COMMON OPTIONS

       This collection of options are common to many programs and provide information  that  many
       users may expect.

       · -h,  –help: Display the tools manpage.  This requires the manpages to be installed or on
         MANPATH, See man(1) for more details.

       · -v, –version: Display version information for this tool, supported tctis and exit.

       · -V, –verbose: Increase the information that the tool prints to the  console  during  its
         execution.  When using this option the file and line number are printed.

       · -Q, –quiet: Silence normal tool output to stdout.

       · -Z,  –enable-errata: Enable the application of errata fixups.  Useful if an errata fixup
         needs to be applied to commands sent to the TPM.  # TCTI ENVIRONMENT

       This collection of environment variables that may be used to configure  the  various  TCTI
       modules available.

       The  values  passed through these variables can be overridden on a per-command basis using
       the available command line options, see the TCTI_OPTIONS section.

       The variables respected depend on how the software was configured.

       · TPM2TOOLS_TCTI_NAME: Select the TCTI used for communication with the next component down
         the  TSS stack.  In most configurations this will be the TPM but it could be a simulator
         or proxy.  The current known TCTIs are:

         · tabrmd      -      The      new      resource       manager,       called       tabrmd
           (https://github.com/01org/tpm2-abrmd).

         · socket  -  Typically  used  with  the  old  resource manager, or talking directly to a
           simulator.

         · device - Used when talking directly to a TPM device file.

       · TPM2TOOLS_DEVICE_FILE: When using the device TCTI, specify the  TPM  device  file.   The
         default is “/dev/tpm0”.

         Note:  Using  the  tpm directly requires the users to ensure that concurrent access does
         not occur and that they manage the tpm resources.  These tasks are usually managed by  a
         resource  manager.   Linux  4.12  and  greater supports an in kernel resource manager at
         “/dev/tpmrm”, typically “/dev/tpmrm0”.

       · TPM2TOOLS_SOCKET_ADDRESS: When using the socket TCTI, specify  the  domain  name  or  IP
         address used.  The default is 127.0.0.1.

       · TPM2TOOLS_SOCKET_PORT:  When  using  the socket TCTI, specify the port number used.  The
         default is 2321.

TCTI OPTIONS

       This collection of options are used to configure the varous TCTI modules available.   They
       override any environment variables.

       · -T, –tcti=TCTI_NAME[:TCTI_OPTIONS]: Select the TCTI used for communication with the next
         component down the TSS stack.  In most configurations this will be the resource manager:
         tabrmd  (https://github.com/01org/tpm2-abrmd)  Optionally,  tcti  specific  options  can
         appended to TCTI_NAME by appending a : to TCTI_NAME.

         · For the device TCTI, the TPM device file for use by the device TCTI can be  specified.
           The default is /dev/tpm0.  Example: -T device:/dev/tpm0

         · For  the socket TCTI, the domain name or IP address and port number used by the socket
           can  be   specified.    The   default   are   127.0.0.1   and   2321.    Example:   -T
           socket:127.0.0.1:2321

         · For the abrmd TCTI, it takes no options.  Example: -T abrmd

Password Formatting

       Passwords  are  interpreted in two forms, string and hex-string.  A string password is not
       interpreted, and is directly used for authorization.  A hex-string, is  converted  from  a
       hexidecimal form into a byte array form, thus allowing passwords with non-printable and/or
       terminal un-friendly characters.

       By default passwords are assumed to be in the string form.   Password  form  is  specified
       with special prefix values, they are:

       · str:  - Used to indicate it is a raw string.  Useful for escaping a password that starts
         with the “hex:” prefix.

       · hex: - Used when specifying a password in hex string format.

Supported Public Object Algorithms

       Supported public object algorithms are:

       · 0x1 or rsa for TPM_ALG_RSA (default).

       · 0x8 or keyedhash for TPM_ALG_KEYEDHASH.

       · 0x23 or ecc for TPM_ALG_ECC.

       · 0x25 or symcipher for TPM_ALG_SYMCIPHER.

       NOTE: Your TPM may not support all algorithms.

Algorithm Specfiers

       Options that take algorithms support “nice-names”.  Nice names, like sha1 can be  used  in
       place of the raw hex for sha1: 0x4.  The nice names are converted by stripping the leading
       TPM_ALG_ from the Algorithm Name field and converting it  to  lower  case.   For  instance
       TPM_ALG_SHA3_256 becomes sha3_256.

       The     algorithms     can    be    found    at:    <https://trustedcomputinggroup.org/wp-
       content/uploads/TCG_Algorithm_Registry_Rev_1.24.pdf>

NOTES

       When the verbose option is specified, additional curl debugging information is provided by
       setting  the curl mode verbose, see: <https://curl.haxx.se/libcurl/c/CURLOPT_VERBOSE.html>
       for more information.

EXAMPLES

              tpm2_getmanufec -e abc123 -o abc123 -P passwd -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin https://tpm.manufacturer.com/ekcertserver/
              tpm2_getmanufec -e 1a1b1c -o 1a1b1c -P 123abc -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin https://tpm.manufacturer.com/ekcertserver/

RETURNS

       0 on success or 1 on failure.

BUGS

       Github Issues (https://github.com/01org/tpm2-tools/issues)

HELP

       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)