oracular (8) swtpm-create-tpmca.8.gz

Provided by: swtpm-tools_0.7.3-0ubuntu7_amd64 bug

NAME

       swtpm-create-tpmca - Tool to create a local CA for swtpm_localca

SYNOPSIS

       swtpm-create-tpmca [OPTIONS]

DESCRIPTION

       swtpm-create-tpmca is a tool to create a TPM 1.2 based CA that can be used by
       swtpm_localca to sign EK and platform certificates.  The CA uses a GnuTLS key to sign
       certificates. To do this, GnuTLS talks to the TPM 1.2 using the tcsd (TrouSerS) daemon.

       Since the TPM CA's certificate must be signed by a CA, a root certificate authority will
       also be created and will sign this certificate. The root CA's private key and certificate
       will be located in the same directory as the signing key and have the names
       swtpm-localca-rootca-privkey.pem and swtpm-localca-rootca-cert.pem respectively. The
       environment variable SWTPM_ROOTCA_PASSWORD can be set for the password of the root CA's
       private key.

       Note: This tool is experimental. See the section on known issues below.

       The following options are supported:

       --dir dir
           The directory where the keys will be written to. An existing root CA with the files
           swtpm-localca-rootca-privkey.pem and swtpm-localca-rootca-cert.pem in this directory
           will be reused. If either one of these files does not exist, a new root CA will be
           created.

       --overwrite
           Overwrite the contents of the output directory.

       --register
           Register the key with TCSD. For the key to be available for signing, the same user
           that created the TPM CA has to run the swtpm_localca tool later on. If this option is
           not passed, the private key is written into a file and can be used by others as well.

       --key-password s
           The new signing key will get this password.

           Note: Due to a bug in GnuTLS certtool it may be necessary to use the same password for
           the signing key as for the SRK.

       --srk-password s
           The TPM SRK password.

           Note: Since GnuTLS tpmtool does not support the 'well known' password of 20 zero
           bytes, the SRK password must be set.

       --outfile filename
           The name of a file where to write the swtpm-localca.conf configuration to.

       --owner owner
           The name or uid number of the owner who will own the directory and outfile file. This
           option only has an effect if this swtpm-create-tpmca is run by the root user.

       --group group
           The name or gid number of the group who will own the directory and outfile file. This
           option only has an effect if this swtpm-create-tpmca is run by the root user.

       --tss-tcsd-hostname
           The hostname where tcsd is running on. The default hostname is 'localhost'.

       -tss-tcsd-port
           The TCP port on which tcsd is listening for messages. The default port is 30003.

       --tpm2
           The TPM to use for signing the certificates is a TPM 2 and Intel's TSS stack must be
           running (tpm2-abrmd) along with its PKCS11 module.  The TPM 2 PKCS11 module must have
           been initialized using the tpm2_ptool.

           The environment variables SWTPM_PKCS11_PIN and SWTPM_PKCS11_SO_PIN should be set to
           hold the PINs. If SWTPM_PKCS11_PIN is not set then the default PIN 'swtpm-tpmca' will
           be used. SWTPM_PKCS11_SO_PIN is needed for creating the token and must be explicitly
           set as an environment variable.

       --pid pimary-object-id
           The primary object id that the tpm2_ptool returns upon 'init'.

       -help, -h, -?
           Display the help screen and exit.

EXAMPLE

       The following example creates an intermediate TPM CA and writes the keys into
       /var/lib/swtpm-localca and the swtpm_localca configuration to /etc/swtpm-localca.conf. It
       can then be used for signing certificates of newly created swtpm TPMs.

       If the host's TPM is a TPM 1.2, we need to start the tcsd first and can then create the
       TPM key and TPM CA certificate:

        #> sudo systemctl start tcsd
        #> sudo /usr/share/swtpm/swtpm-create-tpmca \
                       --dir /var/lib/swtpm-localca \
                       --overwrite \
                       --outfile /etc/swtpm-localca.conf \
                       --srk-password password \
                       --key-password password \
                       --group tss
        statedir = /var/lib/swtpm-localca
        signingkey = tpmkey:file=/var/lib/swtpm-localca/swtpm-localca-tpmca-privkey.pem
        issuercert = /var/lib/swtpm-localca/swtpm-localca-tpmca-cert.pem
        certserial = /var/lib/swtpm-localca/certserial
        TSS_TCSD_HOSTNAME = localhost
        TSS_TCSD_PORT = 30003
        signingkey_password = password
        parentkey_password = password

       Alternatively, if the host's TPM is a TPM 2 and Intel's TPM 2 stack is installed, we need
       to start tpm2-abrmd first and can then create the TPM key and TPM CA certificate:

        #> sudo systemctl start tpm2-abrmd
        #> tpm2_ptool init
        action: Created
        id: 1                   # this is the --pid parameter below
        #> sudo SWTPM_PKCS11_PIN="mypin 123" SWTPM_PKCS11_SO_PIN=123 /usr/share/swtpm/swtpm-create-tpmca \
                       --dir /var/lib/swtpm-localca \
                       --overwrite \
                       --outfile /etc/swtpm-localca.conf \
                       --group tss \
                       --tpm2 \
                       --pid 1
        statedir = /var/lib/swtpm-localca
        signingkey = pkcs11:model=SW%20%20%20TPM\;manufacturer=IBM\;serial=0000000000000000\;token=swtpm-tpmca-1\;id=%31\;object=swtpm-tpmca-key\;type=private
        issuercert = /var/lib/swtpm-localca/swtpm-localca-tpmca-cert.pem
        certserial = /var/lib/swtpm-localca/certserial
        SWTPM_PKCS11_PIN = mypin 123

       Note: This also works for non-root users by adapting the --dir and --outfile parameters
       here and below by changing the --dir parameter and adding a --config parameter.

       To test either one of the above TPM CAs, run the following command:

        #> swtpm_localca \
               --type ek --ek x=11,y=13 \
               --dir /tmp --vmid test --tpm2 \
               --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 00 \
               --tpm-model swtpm --tpm-version 20170101 --tpm-manufacturer IBM

       The --tpm2 in this command indicates that the TPM for which the certificate is created is
       a TPM 2.

KNOWN ISSUES

       The interaction of GnuTLS certtool with the TPM TCSD daemon may cause so many TPM (key)
       authentication failures that the TPM refuses to accept any more authenticated commands
       until the TPM's owner sends it the TPM_ORD_ResetLockValue command. The reason for this is
       that certtool first tries to use 20 zero bytes for the SRK password and only then prompts
       for and uses the required SRK password. The GnuTLS tpmtool does not support 20 zero bytes
       for the SRK password, so forces the usage of a 'real' password.

       The effect of the authentication failures may be that the TPM CA cannot sign certificates
       since the TPM does not accept authenticated commands.

SEE ALSO

       swtpm_localca, swtpm-localca.conf, tcsd

REPORTING BUGS

       Report bugs to Stefan Berger <stefanb@linux.ibm.com>