]>
Commit | Line | Data |
---|---|---|
e46a2b66 SB |
1 | =head1 NAME |
2 | ||
3d5ae5e1 | 3 | swtpm_localca - Local CA to create EK and platform certs for swtpm |
e46a2b66 SB |
4 | |
5 | =head1 SYNOPSIS | |
6 | ||
3d5ae5e1 | 7 | B<swtpm_localca [OPTIONS]> |
e46a2b66 SB |
8 | |
9 | =head1 DESCRIPTION | |
10 | ||
3d5ae5e1 | 11 | B<swtpm_localca> is a tool to create TPM Endorsement Key (EK) and platform |
e46a2b66 SB |
12 | certificates on the host. It uses the I<swtpm_cert> program to create |
13 | the certificates. | |
14 | ||
15 | The program will typically be invoked by the I<swtpm_setup> program | |
16 | that uses the I</etc/swtpm_setup.conf> configuration file where | |
17 | a variable needs to be set that points to this program. | |
18 | It implements command line options that the I<swtpm_setup> | |
19 | program uses to provide the necessary parameters to it. | |
20 | ||
3d5ae5e1 | 21 | B<swtpm_localca> will automatically try to create the signing key and |
373a9084 SB |
22 | certificate if the configuration points to a missing signing key. |
23 | Since this certificate must be signed by a CA, a root certificate authority | |
24 | will also be created and will sign this certificate. The root CA's | |
25 | private key and certificate will be located in the same directory as the | |
26 | signing key and have the names swtpm-localca-rootca-privkey.pem and | |
15a14c55 SB |
27 | swtpm-localca-rootca-cert.pem respectively. The environment variable |
28 | SWTPM_ROOTCA_PASSWORD can be set for the password of the root CA's | |
29 | private key. | |
373a9084 | 30 | |
7b72dfed SB |
31 | Note: Due to limitations of 'certtool', the possible passwords used for |
32 | securing the root CA's private key and the intermedia CA's private | |
33 | key have to be passed over the command line and therefore will be visible | |
34 | to others on the system. If you are concerned about this, you should create | |
35 | the CAs elsewhere and copy them onto the target system. | |
36 | ||
e46a2b66 SB |
37 | The following options are supported: |
38 | ||
39 | =over 4 | |
40 | ||
41 | =item B<--type type> | |
42 | ||
43 | This parameter indicates the type of certificate to create. The type parameter may | |
44 | be one of the following: I<ek>, or I<platform> | |
45 | ||
46 | =item B<--dir dir> | |
47 | ||
48 | This parameter indicates the directory into which the certificate is to be stored. | |
49 | The EK certificate is stored in this directory under the name | |
50 | ek.cert and the platform certificate under the name platform.cert. | |
51 | ||
52 | =item B<--ek ek> | |
53 | ||
54 | This parameter indicates the modulus of the public key of the endorsement key | |
55 | (EK). The public key is provided as a sequence of ASCII hex digits. | |
56 | ||
08da93a9 | 57 | In case ECC (elliptic curve crypography) keys are used, the parameter must |
72aac899 SB |
58 | have the format --ek x=<hex digits>,y=<hex digits>,id=<curve id>. The |
59 | id=<curve id> part is optional and only necessary for ECC curves other | |
60 | than secp256r1. | |
08da93a9 | 61 | |
e46a2b66 SB |
62 | =item B<--vmid ID> |
63 | ||
64 | This parameter indicates the ID of the VM for which to create the certificate. | |
65 | ||
66 | =item B<--logfile <logfile>> | |
67 | ||
68 | The log file to log output to; by default logging goes to stdout and stderr | |
69 | on the console. | |
70 | ||
71 | =item B<--configfile <configuration file>> | |
72 | ||
73 | The configuration file to use. If omitted, the default configuration | |
74 | file I</etc/swtpm-localca.conf> will be used. | |
75 | ||
76 | =item B<--optsfile <options file>> | |
77 | ||
78 | The options file to use. If omitted, the default options file | |
79 | I</etc/swtpm-localca.options> will be used. | |
80 | ||
ab37e6f3 SB |
81 | =item B<--tpm-spec-family>, B<--tpm-spec-revision>, B<--tpm-spec-level> |
82 | ||
83 | TPM specification parameters that describe the specification that was | |
84 | followed for the TPM implementation. The parameters will be passed | |
85 | to swtpm_cert for the creation of the EK certificate. | |
86 | ||
15226ad9 SB |
87 | =item B<--tpm2> |
88 | ||
89 | Create TPM 2 compliant certificates. | |
90 | ||
aaefebcf SB |
91 | =item B<--allow-signing> |
92 | ||
93 | Create an EK that can also be used for signing. Without this option, the | |
94 | EK can only be used for key encipherment. This option requires --tpm2. | |
95 | ||
96 | =item B<--decryption> | |
97 | ||
98 | If --allow-signing is passed and the EK should also be useable for key | |
99 | encipherment, this option must be passed. Otherwise key encipherment is the | |
100 | default. This option requires --tpm2. | |
101 | ||
e46a2b66 SB |
102 | =back |
103 | ||
104 | =head1 SEE ALSO | |
105 | ||
106 | B<swtpm-localca.conf>, B<swtpm-localca.options>, | |
107 | B<swtpm_setup>, B<swtpm_setup.conf> | |
108 | ||
109 | =head1 REPORTING BUGS | |
110 | ||
111 | Report bugs to Stefan Berger <stefanb@linux.vnet.ibm.com> |