]>
Commit | Line | Data |
---|---|---|
f163b202 SB |
1 | =head1 NAME |
2 | ||
3 | swtpm | |
4 | ||
5 | =head1 SYNOPSIS | |
6 | ||
7 | B<swtpm socket [OPTIONS]> | |
8 | ||
29cfd0a4 SB |
9 | B<swtpm chardev [OPTIONS]> |
10 | ||
78c5f924 SB |
11 | B<swtpm cuse [OPTIONS]> |
12 | ||
f163b202 SB |
13 | =head1 DESCRIPTION |
14 | ||
15 | B<swtpm> implements a TPM software emulator built on libtpms. | |
29cfd0a4 | 16 | It provides access to TPM functionality over a TCP/IP socket interface |
78c5f924 SB |
17 | or it can listend for commands on a character device, or create a CUSE |
18 | (character device in userspace) interface for receiving of TPM commands. | |
f163b202 SB |
19 | |
20 | Unless corresponding command line parameters are used, the | |
29cfd0a4 | 21 | B<swtpm> socket version requires that the environment variable I<TPM_PORT> |
f163b202 SB |
22 | be set to the TCP/IP port the process is supposed to listen on for TPM |
23 | request messages. | |
24 | ||
bc525ccd | 25 | Similarly, the environment variable I<TPM_PATH> can be set and |
f163b202 | 26 | contain the name of a directory where the TPM can store its persistent |
bc525ccd | 27 | state into. |
f163b202 | 28 | |
29cfd0a4 | 29 | The B<swtpm> process can be gracefully terminated by sending a |
f163b202 SB |
30 | I<SIGTERM> signal to it. |
31 | ||
78c5f924 SB |
32 | The B<swtpm> cuse version requires root rights to start the TPM. |
33 | ||
29cfd0a4 SB |
34 | =head1 Options for socket interface |
35 | ||
f163b202 SB |
36 | The following options are supported if the I<socket> interface is chosen: |
37 | ||
38 | =over 4 | |
39 | ||
40 | =item B<-p|--port <port>> | |
41 | ||
42 | Use the given port rather than using the environment variable TPM_PORT. | |
43 | ||
29cfd0a4 SB |
44 | =item B<-t|--terminate> |
45 | ||
46 | Terminate the TPM after the client has closed the connection. | |
47 | ||
4716d35a | 48 | =item B<--server [type=tcp][,port=E<lt>portE<gt>[,bindaddress=E<lt>addressE<gt>[,ifname=E<lt>ifnameE<gt>]]][,fd=E<lt>fdE<gt>][,disconnect]> |
7c0a033f SB |
49 | |
50 | Expect TCP connections on the given port; if a port is not provided a file descriptor | |
51 | must be passed with the fd parameter and the commands are read from this file | |
52 | descriptor then. | |
16eb0ff2 SB |
53 | If a port is provided the I<bind address> on which to listen for TCP connections |
54 | can be provided as well; the default bind address is 127.0.0.1. If a link | |
55 | local IPv6 addresss if provided, the name of the interface to bind to must be | |
56 | provided with I<ifname>. | |
7c0a033f SB |
57 | |
58 | This parameter enables a persistent connection by default unless the disconnect option | |
59 | is given. This parameter should be used rather than the -p and --fd options. | |
60 | ||
73823529 SB |
61 | =item B<--server type=unixio[,path=E<lt>pathE<gt>][,fd=E<lt>fdE<gt>]> |
62 | ||
63 | Expect UnixIO connections on the given path. If no path is provide, a file descriptor | |
64 | must be passed instead. | |
65 | ||
29cfd0a4 SB |
66 | =back |
67 | ||
68 | ||
69 | =head1 Options for character device interface | |
70 | ||
78c5f924 | 71 | The following options are supported if the I<chardev> interface is chosen: |
29cfd0a4 SB |
72 | |
73 | =over 4 | |
74 | ||
75 | =item B<-c|--chardev <device path>> | |
76 | ||
77 | Use the given device to listen for TPM commands and send response on. | |
78 | ||
ee8b6c2d SB |
79 | =item B<--vtpm-proxy> |
80 | ||
81 | Create a Linux vTPM proxy device instance and read TPM commands from its | |
82 | backend device. | |
83 | ||
29cfd0a4 SB |
84 | =back |
85 | ||
86 | ||
78c5f924 | 87 | =head1 Options for the CUSE interface |
29cfd0a4 | 88 | |
78c5f924 | 89 | The following options are supported if the I<cuse> interface is chosen: |
29cfd0a4 SB |
90 | |
91 | =over 4 | |
92 | ||
78c5f924 | 93 | =item B<-n|--name <NAME>> |
f163b202 | 94 | |
78c5f924 SB |
95 | The TPM will use a device with the given name. A device with the given name |
96 | will be created in /dev. This is a mandatory option. | |
97 | ||
98 | =item B<-M|--maj <MAJOR>> | |
99 | ||
100 | Create the device with the given major number. | |
101 | ||
102 | =item B<-m|--min <MINOR>> | |
103 | ||
104 | Create the device with the given minor number. | |
105 | ||
106 | =item B<--migration-key file=E<lt>keyfileE<gt>[,format=E<lt>hex|binaryE<gt>][,mode=aes-cbc],[remove[=true|false]]> | |
107 | ||
108 | The availability of a migration key ensures that the state of the TPM | |
109 | will not be revealed in unencrypted form when | |
110 | the TPM state blobs are retreived through the ioctl interface. | |
111 | The migration key is not used for encrypting TPM state written to files, | |
112 | this is what the I<--key> parameter is used for. | |
113 | ||
114 | The migration key and the key used for encrypting the TPM state files may be the same. | |
115 | ||
116 | While the key for the TPM state files needs to stay with those files it encrypts, the | |
117 | migration key needs to stay with the TPM state blobs. If for example the state of the | |
118 | TPM is migrated between hosts in a data center, then the TPM migration key must be | |
119 | available at all the destinations, so in effect it may have to be a key shared across | |
120 | all machines in the datacenter. In contrast to that, the key used for encrypting the | |
121 | TPM state B<files> can be different for each TPM and need only be available | |
122 | on the host where the TPM state resides. | |
123 | ||
124 | The migration key enables the encryption of the TPM state blobs of the TPM. | |
125 | The keyfile must contain an AES key of supported size; currently only 128 bit (16 bytes) | |
126 | keys are supported. | |
127 | ||
128 | The key may be in binary format, in which case the file size must be 16 bytes. | |
129 | If the key is in hex format (default), the key may consist of 32 hex digits | |
130 | starting with an optional '0x'. | |
131 | ||
132 | The I<mode> parameter indicates which block chaining mode is to be used. | |
133 | Currently only aes-cbc is supported. | |
134 | ||
135 | The I<remove> parameter will attempt to remove the given keyfile once the key | |
136 | has been read. | |
137 | ||
138 | =item B<--migration-key pwdfile=E<lt>passphrase fileE<gt>[,mode=aes-cbc],[remove[=true|false]]> | |
139 | ||
140 | This variant of the migration key parameter allows to provide a passphrase in a file. | |
141 | A maximum of 32 bytes are read from the file and a key is derived from it using a | |
142 | SHA512 hash. Currently only 128 bit keys are supported. | |
143 | ||
144 | =back | |
145 | ||
146 | ||
147 | =head1 Options for socket and character device interfaces: | |
148 | ||
149 | The following options are supported by the socket and character device interfaces: | |
150 | ||
151 | =over 4 | |
f163b202 SB |
152 | |
153 | =item B<-f|--fd <fd>> | |
154 | ||
29cfd0a4 SB |
155 | Use the given socket file descriptor or character device file descriptor |
156 | for receiving TPM commands and sending responses. | |
157 | For the socket interface, this option automatically assumes -t. | |
f163b202 | 158 | |
78c5f924 SB |
159 | =item B<-d|--daemon> |
160 | ||
161 | Daemonize the process. | |
162 | ||
16eb0ff2 | 163 | =item B<--ctrl type=[unixio|tcp][,path=E<lt>pathE<gt>][,port=E<lt>portE<gt>[,bindaddress=E<lt>addressE<gt>[,ifname=E<lt>ifnameE<gt>]]][,fd=E<lt>filedescriptorE<gt>] > |
9ddc6998 SB |
164 | |
165 | This option adds a control channel to the TPM. The control channel can either use a UnixIO socket with | |
166 | a given I<path> or I<filedescriptor> or it can use a TCP socket on the given I<port> or I<filedescriptor>. | |
16eb0ff2 SB |
167 | If a port is provided the I<bind address> on which to listen for TCP connections |
168 | can be provided as well; the default bind address is 127.0.0.1. If a link | |
169 | local IPv6 addresss if provided, the name of the interface to bind to must be | |
170 | provided with I<ifname>. | |
9ddc6998 SB |
171 | |
172 | The control channel enables out-of-band control of the TPM, such as resetting the TPM. | |
173 | ||
78c5f924 SB |
174 | =back |
175 | ||
176 | ||
177 | =head1 Options for all interfaces | |
178 | ||
179 | The following options are support by all interfaces: | |
180 | ||
181 | =over 4 | |
182 | ||
183 | =item B<--tpmstate dir=E<lt>dirE<gt>> | |
184 | ||
185 | Use the given path rather than using the environment variable TPM_PATH. | |
186 | ||
f163b202 SB |
187 | =item B<--log fd=E<lt>fdE<gt>|file=E<lt>pathE<gt>> |
188 | ||
189 | Enable logging to a file given its file descriptor or its path. Use '-' for path to | |
190 | suppress the logging. | |
191 | ||
192 | =item B<--key file=E<lt>keyfileE<gt>[,format=E<lt>hex|binaryE<gt>][,mode=aes-cbc],[remove[=true|false]]> | |
193 | ||
194 | Enable encryption of the state files of the TPM. The keyfile must contain | |
195 | an AES key of supported size; currently only 128 bit (16 bytes) keys are | |
196 | supported. | |
197 | ||
198 | The key may be in binary format, in which case the file size must be 16 bytes. | |
199 | If the key is in hex format (default), the key may consist of 32 hex digits | |
200 | starting with an optional '0x'. | |
201 | ||
202 | The I<mode> parameter indicates which block chaining mode is to be used. | |
203 | Currently only aes-cbc is supported. | |
204 | ||
205 | The I<remove> parameter will attempt to remove the given keyfile once the key | |
206 | has been read. | |
207 | ||
208 | =item B<--key pwdfile=E<lt>passphrase fileE<gt>[,mode=aes-cbc],[remove[=true|false]]> | |
209 | ||
210 | This variant of the key parameter allows to provide a passphrase in a file. | |
211 | A maximum of 32 bytes are read from the file and a key is derived from it using a | |
212 | SHA512 hash. Currently only 128 bit keys are supported. | |
213 | ||
b2151737 SB |
214 | =item B<--pid file=E<lt>pidfileE<gt>> |
215 | ||
216 | This options allows to set the name of file where the process ID (pid) of the TPM | |
217 | will be written into. | |
218 | ||
bb420d74 SB |
219 | =item B<-r|--runas E<lt>ownerE<gt>> |
220 | ||
221 | Switch to the given user. This option can only be used when swtpm is started as root. | |
222 | ||
f163b202 SB |
223 | =item B<-h|--help> |
224 | ||
225 | Display usage info. | |
226 | ||
227 | =back | |
228 | ||
229 | ||
230 | =head1 SEE ALSO | |
231 | ||
78c5f924 | 232 | B<swtpm_bios>, B<swtpm_cuse> |