| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105 |
- .\" Automatically generated by Pandoc 1.19.2.4
- .\"
- .TH "tss2_provision" "1" "APRIL 2019" "tpm2\-tools" "General Commands Manual"
- .hy
- .SH NAME
- .PP
- \f[B]tss2_provision\f[](1) \-
- .SH SYNOPSIS
- .PP
- \f[B]tss2_provision\f[] [\f[I]OPTIONS\f[]]
- .SH SEE ALSO
- .PP
- \f[B]fapi\-config(5)\f[] to adjust Fapi parameters like the used
- cryptographic profile and TCTI or directories for the Fapi metadata
- storages.
- .PP
- \f[B]fapi\-profile(5)\f[] to determine the cryptographic algorithms and
- parameters for all keys and operations of a specific TPM interaction
- like the name hash algorithm, the asymmetric signature algorithm, scheme
- and parameters and PCR bank selection.
- .SH DESCRIPTION
- .PP
- \f[B]tss2_provision\f[](1) \- This command provisions a FAPI instance
- and its associated TPM.
- The steps taken are:
- .IP \[bu] 2
- Retrieve the EK template, nonce and certificate, verify that they match
- the TPM\[aq]s EK and store them in the key store.
- .IP \[bu] 2
- Set the authValues and policies for the Owner (Storage Hierarchy), the
- Privacy Administrator (Endorsement Hierarchy) and the lockout authority.
- .IP \[bu] 2
- Scan the TPM\[aq]s nv indices and create entries in the FAPI metadata
- store.
- This operation MAY use a heuristic to guess the originating programs for
- nv indices found and name the entries accordingly.
- .IP \[bu] 2
- Create the SRK (storage primary key) inside the TPM and make it
- persistent if required by the cryptographic profile (cf.,
- \f[B]fapi\-profile(5)\f[]) and store its metadata in the system\-wide
- FAPI metadata store.
- Note that the SRK will not have an authorization value associated.
- .PP
- If an authorization value is associated with the storage hierarchy, it
- is highly recommended that the SRK without authorization value is made
- persistent.
- .PP
- The paths of the different metadata storages for keys and nv indices are
- configured in the FAPI configuration file (cf.,
- \f[B]fapi\-config(5)\f[]).
- .SH OPTIONS
- .PP
- These are the available options:
- .IP \[bu] 2
- \f[B]\-E\f[], \f[B]\-\-authValueEh\f[]=\f[I]STRING\f[]: The
- authorization value for the privacy admin, i.e.
- the endorsement hierarchy.
- Optional parameter.
- .IP \[bu] 2
- \f[B]\-S\f[], \f[B]\-\-authValueSh\f[]=\f[I]STRING\f[]: The
- authorization value for the owner, i.e.
- the storage hierarchy.
- Optional parameter.
- .IP \[bu] 2
- \f[B]\-L\f[], \f[B]\-\-authValueLockout\f[]=\f[I]STRING\f[]: The
- authorization value for the lockout authorization.
- Optional parameter.
- .SH COMMON OPTIONS
- .PP
- This collection of options are common to all tss2 programs and provide
- information that many users may expect.
- .IP \[bu] 2
- \f[B]\-h\f[], \f[B]\-\-help [man|no\-man]\f[]: Display the tools
- manpage.
- By default, it attempts to invoke the manpager for the tool, however, on
- failure will output a short tool summary.
- This is the same behavior if the "man" option argument is specified,
- however if explicit "man" is requested, the tool will provide errors
- from man on stderr.
- If the "no\-man" option if specified, or the manpager fails, the short
- options will be output to stdout.
- .RS 2
- .PP
- To successfully use the manpages feature requires the manpages to be
- installed or on \f[I]MANPATH\f[], See \f[B]man\f[](1) for more details.
- .RE
- .IP \[bu] 2
- \f[B]\-v\f[], \f[B]\-\-version\f[]: Display version information for this
- tool, supported tctis and exit.
- .SH EXAMPLE
- .IP
- .nf
- \f[C]
- tss2_provision
- \f[]
- .fi
- .SH RETURNS
- .PP
- 0 on success or 1 on failure.
- .SH BUGS
- .PP
- Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
- .SH HELP
- .PP
- See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
|
