man pages: add paragraph about --allow-signing to swtpm_setup.pod

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>

diff --git a/man/man8/swtpm_setup.8 b/man/man8/swtpm_setup.8
index 1db73cf8dc45f5e6ce84271bb5cbab644d1b0cf1..247f270f034c9b3b3715fa88bd245da3e4eefcd6 100644 (file)
--- a/man/man8/swtpm_setup.8
+++ b/man/man8/swtpm_setup.8
@@ -176,6 +176,12 @@ Create the \s-1EK\s0
 .IP "\fB\-\-allow\-signing\fR" 4
 .IX Item "--allow-signing"
 Create an \s-1EK\s0 that can sign. This option requires \-\-tpm2.
+.Sp
+Note that the \s-1TCG\s0 specification \*(L"\s-1EK\s0 Credential Profile For \s-1TPM\s0 Family 2.0; Level 0\*(R"
+suggests in its section on \*(L"\s-1EK\s0 Usage\*(R" that \*(L"the Endorsement Key can be a
+created as a decryption or signing key.\*(R" However, some platforms will
+not accept an \s-1EK\s0 as a signing key, or as a signing and encryption key, and
+therefore this option should be used very carfully.
 .IP "\fB\-\-decryption\fR" 4
 .IX Item "--decryption"
 Create an \s-1EK\s0 that can be used for key encipherment. This is the default

diff --git a/man/man8/swtpm_setup.pod b/man/man8/swtpm_setup.pod
index 76337df8904e895e98b4ba163783fd06db6e8201..d8d9badc5f3a39863beb89b6328bd005fb481e74 100644 (file)
--- a/man/man8/swtpm_setup.pod
+++ b/man/man8/swtpm_setup.pod
@@ -49,6 +49,12 @@ Create the EK
 
 Create an EK that can sign. This option requires --tpm2.
 
+Note that the TCG specification "EK Credential Profile For TPM Family 2.0; Level 0"
+suggests in its section on "EK Usage" that "the Endorsement Key can be a
+created as a decryption or signing key." However, some platforms will
+not accept an EK as a signing key, or as a signing and encryption key, and
+therefore this option should be used very carfully.
+
 =item B<--decryption>
 
 Create an EK that can be used for key encipherment. This is the default